Wednesday, April 19, 2017

HSM




The aforementioned KSK for the root zone forms the trust anchor for DNSSEC. From
these seven so-called Crypto Officers, any three together can, with the help of a secret sharing protocol, issue new signatures for the respective ZSKs of the root zone. To do this, they need to meet every three months at one of two secure sites in the USA. In the case of a catastrophic event, the KSK can be recovered by a third group of seven experts. To do this, five of these Recovery Key Share Hold- ers must bring their part of a symmetric key and meet at a secret location where there is an encrypted copy of the KSK. Details of this procedure can be found in [ICA10], for instance. The actual signature of the mappings of the root zone is made with the private part of the corresponding ZSK, which is produced and used by the American company Verisign.

In order to increase
the trust and confidence in the root-zone KSK, it is controlled by international
experts.   The private part of the key is retained in two
Hardware Security Modules (HSM), which can be activated in each
case by a group of seven recognised international experts.