HSM backup considerations

Written by Rick van Rein in category: Architecture, Resilience, Technical, Timing

When you start to support DNSSEC, you are suddenly supposed to manage the keys used to sign the domain. This is a typical task for a security officer. Typical concerns are to conceal the private keys from outside-world prying eyes, and to avoid losing keys as long as the outside world needs them to trust […]

No Comments

The power of idempotence

Written by Rick van Rein in category: Architecture, Resilience

If any design principle has been leading our architectural work around resilience for DNSSEC, it has been idempotence. It is one of those algebraic concepts that really helps to beat sense into a complex set of choices. Idempotence means that doing the same thing twice is no different from doing it once. Painting orange on […]

No Comments

Monitoring DNSSEC

Written by Migiel de Vos in category: Resilience, Technical

DNS is currently a “once it runs, never touch it again” infrastructure. This changes with the introduction of DNSSEC. Managing a DNSSEC signed zone involves a continuous effort of resigning zones and generating key material. Apart from that, DNS is a fundamental Internet protocol, thus the changes required to implement DNSSEC have an impact at […]