[dns-operations] .de DNSSEC issue root cause
Joe Abley
jabley at strandkip.nl
Fri Jun 12 19:17:35 UTC 2026
On 12 Jun 2026, at 20:05, Randy Bush <randy at psg.com> wrote:
>> - choose your HSM vendors carefully so that there are opportunities to
>> replicate secrets between HSMs without exposing them. This is not
>> impossible.
>
> no standard exists
None that I am aware of. That's why I used "not impossible" instead of "easy" or something.
>> - use multiple vendors and publish a public key from each. If I
>> understand what I have read, if DENIC had included a ZSK per HSM in
>> their DNSKEY RRSet, then signatures over RRSets in the zone by any
>> one of them would have validated just fine.
>
> yes. but from what i read, i think they were going for single key
Yep.
>> Generally, I think it's much easier to have confidence in a system
>> where the secrets remain beyond the tamper barrier at all times, by
>> design than to manage the exposure. But different risk assessments
>> might well point to different solutions.
>
> as sra points out [knot's
> multi-signer](https://en.blog.nic.cz/2025/05/07/knot-dns-in-a-complex-dnssec-topology/)
> approach has appeal; though it is a bit complex
Multi-signer is what my "ZSK per HSM" amounts to. It's fairly robust in terms of being consumed as expected. Christian Elmerot described at an OARC meeting a while back how it was used during a transition phase in a change of back-end providers for .GOV, for example, during which there were no observed validation failures.
Multi-vendor solutions have their own challenges too, of course.
Joe
More information about the dns-operations
mailing list