I have read fobser-dnsop-dnssec-keyrestore-01. It could not be published in the way it is, but if you believe in early adoption of documents that a WG wants to work on, then it could be adopted now. I slightly agree with Paul and Wes' criticism, but I see it in the opposite way.
Paul Hoffman <[email protected]> wrote: > Said another way: I'm against WG adoption of this draft if it is only > about HSMs or primarily focused on them, but in favor it if covers the > typical use cases for DNSSEC signers. As others have said, "how to deal > with HSM private key loss" is a blog post (that should talk about > specific HSMs), not a long-lived RFC. a. I have no problem with this document talking about HSMs. Just put it in the title. "DNSSEC Key Restore for HSM managed keys" I would change it to read something like: s/ The private key is typically kept secret by using Hardware Security/ When a private key is kept secret by using Hardware Security/ ... b. Maybe a reason we have only 24M signed is because we lack this document that is aimed specifically at recovery from HSM failures. I wondered how many zones there are now, and actually couldn't find even people arguing on reddit about this. 150M .com as of 2021, so at least 10 to 100x more than 24M to sign. c. when my neighbour's RPI2 based authoritative primary eats it's SDcard (again). [It's a "Home SDcard Mangler" == HSM]... If there are gentler recoverings when it's a *nix machine, great. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
