Stephane, Stephane Bortzmeyer wrote: > > But the risk for the key is not only people modifying it, it is simply > people *reading* it (a concern which also exists for the database but > is much less important). > > I have no practical experience with HSMs but, in my mind, the > interesting thing is that they guarantee noone will read the key > without an authorization (that's quite unlike the database where you > certainly prefer a few unauthorized looks to a complete loss).
This is the key point IMHO. AIUI, the attack vector that HSM are designed to protect is that someone makes a copy of your key signing material without you knowing about it. Once they do that, they can spoof replies until such time as you roll your key. If an unauthorized person modifies the contents of the database backing your zone, you may or may not know about it, but an observant customer will at least notice that the data has changed. So the two are not totally equivalent. Having said that, I agree that HSM hysteria is a bit overblown, and that the actual DNSSEC signing is very, very unlikely to be the weakest link in DNS security in any organization. -- Shane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
