Peter Thomassen via Datatracker <[email protected]> writes: > This document describes the issues surrounding the handling of DNSSEC > private keys in a DNSSEC signer. It presents operational guidance in > case a DNSSEC private key becoming inoperable.
In general I favor adopting this as it provides some guidance that is certainly needed for helping people recover in emergent situations. Having said that, I do take issue with the scope vs the text. The introduction states: The private key is typically kept secret by using Hardware Security Modules (HSMs). This is definitely not typical. It may be typical for TLDs (and the root, which is out of scope) and maybe some other high-value zones. But of the 24.8M domains signed today, I'd argue a very very very low percentage makes use of HSMs. So either: the document should clearly state this is only for zones that make use of HSMs or similar technologies, or should be framed more generically to benefit anyone that loses their key regardless of how. I'd opt for the second option. -- Wes Hardaker Google _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
