Hi, I'm in favour of adopting this draft. I believe it will be useful to have this as a reference in a DR plan, especially but not exclusively, during the task of replacing old HSMs with new ones.
Felipe Em qui., 19 de fev. de 2026 às 12:27, Martin Pels <[email protected]> escreveu: > Hello, > > As co-author I'm naturally in favor of WG adoption. I wanted to respond > to some the feedback so far to clarify our reasoning for publishing this. > > The idea for this draft came to light during our work preparing for > ISO27001 certification. > > Since we operate infrastructure that is critical to the operation for > large parts of the Internet, our risk analysis for business continuity > includes major events such as natural disasters and wars, with > country-level impact. While we have both technical and operational > measures in place for redundancy and backups, these may not be > sufficient in the aforementioned scenarios. It is fairly easy to keep > many copies of signed zones with public DNS data around. Doing the same > for signer keys, while keeping them secure, is not. > > Does documenting this process stress the complexity and fragility of > DNSSEC? Perhaps, but not documenting the risks and how to recover from > them will not make those risks disappear. And as with many things, this > procedure is only complicated if you have never done it before. After > having performed a couple of trial runs of this process ourselves, we > found that it is fairly logical and not much more complicated than a > manual regular key rollover. > > There is also the NIS2[0] legislation to consider, which will apply to > many DNS providers in the EU. We therefore expect more organisations > will have a need to write down and test disaster recovery scenarios. > Having a formal document to refer to (rather than a random blog post) > could help in this. > > Kind regards, > Martin > > [0] https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- " A dúvida é o principio da sabedoria "
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
