On Fri, 13 Feb 2026, Peter Thomassen via Datatracker wrote:
[email protected]
Subject: [DNSOP] Call for adoption: draft-fobser-dnsop-dnssec-keyrestore-01
(Ends 2026-02-27)
This message starts a dnsop WG Call for Adoption of:
draft-fobser-dnsop-dnssec-keyrestore-01
I am not in favour of adopting this document. The hypothetical scenario
where one has lost the key, but the zone is still working seems fairly
unlikely. It is far more likely one finds out about the missing key
once it is needed to sign something and can't, at which point it is
going to be too late.
I also don't think people who messed up and are in a panic, are going to
search for an RFC on his to recover from their mistake.
A side effect of RFCs like this is that it will be misused by opponents
to say that DNSSEC is so brittle, it needs RFCs to talk about operator
errors.
It also makes many assumptions, such as that HSMs are used "typically".
I believe 99% of DNSSEC private keys do not live in a hardware HSM. And
thus the entire document is moot there, as if you can't do a simple
software backup/restore, perhaps the service being down is just the
inevitable outcome and no DNS RFC is going to help you.
This could make a nice blog post, but I don't think meets the bar for an
RFC.
Paul
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
