IETF Logo Mail Archive

Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Florian Weimer <fweimer@bfk.de> Tue, 21 April 2009 15:02 UTC

Return-Path: <fweimer@bfk.de>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4FFA73A6901 for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 08:02:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.208
X-Spam-Level:
X-Spam-Status: No, score=-1.208 tagged_above=-999 required=5 tests=[AWL=1.041, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l73c4mOwp49c for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 08:02:09 -0700 (PDT)
Received: from mx01.bfk.de (mx01.bfk.de [193.227.124.2]) by core3.amsl.com (Postfix) with ESMTP id 6FBF43A6A67 for <dnsop@ietf.org>; Tue, 21 Apr 2009 08:02:09 -0700 (PDT)
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1LwHV4-0003uI-Km; Tue, 21 Apr 2009 17:03:06 +0200
Received: from fweimer by bfk.de with local id 1LwHVL-0007hQ-Iq; Tue, 21 Apr 2009 17:03:23 +0200
To: Edward Lewis <Ed.Lewis@neustar.biz>
References: <20090306141501.4BA2F3A6B4B@core3.amsl.com> <49EDA81E.2000600@ca.afilias.info> <a06240805c6138a622949@[10.31.200.142]>
From: Florian Weimer <fweimer@bfk.de>
Date: Tue, 21 Apr 2009 17:03:23 +0200
In-Reply-To: <a06240805c6138a622949@[10.31.200.142]> (Edward Lewis's message of "Tue, 21 Apr 2009 10:51:52 -0400")
Message-ID: <82iqkykq10.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2009 15:02:10 -0000

* Edward Lewis:

> This comes from the observation that the contents of the database
> sourcing the zone (whether a commercial-like database or a vi'd file)
> are more critical than the private key.  (If) They are sufficiently
> protected and I'll just keep the private key behind the same
> fortifications.  So, what does an HSM add?

I think the general idea is that if you have to edit your zone because
it was tampered with, chances are that nobody will notice (or
everybody will attribute it to routine maintenance).  If your key is
compromised and you have to replace it out of schedule, you might have
got some explaining to do. 8-)

Of course, this isn't a strong argument in favor of HSMs.

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

v2.23.0 | Report a Bug | By Email