[Opendnssec-user] Why protect keys with a hardware HSM?

Ville Mattila vmattila at csc.fi
Tue Oct 27 08:08:37 UTC 2009


Why should one bother setting up a hardware HSM for OpenDNSSEC signer
to protect zone/key signing keys?

Consider attacker trying to forge a signed zone.  He gains root privileges
on OpenDNSSEC signer host and modifies the incoming yet-unsigned zone
data before the records are fed to HSM for signing.  Thus root access
(and the user processing incoming unsigned zone) on OpenDNSSEC signer
host must be secured very carefully regardless of whether one is using
hardware or software HSM.  Right?

Keys must, of course, be well protected and hardware HSM does that
better than software (because of far more restricted physical/software
access methods?).  But what are the signing keys in general good for
from attackers point of view?  Use them for poisoning a resolvers cache
with e.g. the well known Kaminsky method?  Anything else?


Ville Mattila, System Specialist, Funet network, CSC
PO Box 405, FIN-02101 Espoo, Finland, fax +358 9 457 2302
CSC is the Finnish IT Center for Science, http://www.csc.fi/, email:
ville.mattila at csc.fi

More information about the Opendnssec-user mailing list