Information in English will follow.
.SE har genomfört en nyckelrullning av KSK för DNSSEC. KSK för 2009-2010 med nyckelid = 8779 är inte längre giltig. Uppdatering av information i rotzonen pågår.
Detta är enbart viktigt för den som av någon anledning inte validerar DNSSEC med rotnyckeln.
Vi rekommenderar att man bara använder rot som tillitsankare (TA). Om ni ändå väljer att använda .SE som tillitsankare bör ni konfigurera nyckeln för 2011-2012 (nyckelid = 7649) i er resolver senast 2011-12-31.
En textfil med aktuella nycklar finns på https://www.iis.se/docs/ksk.txt
Eventuella frågor kan ställas till dnssec-info(a)iis.se.
Med vänlig hälsning
Anne-Marie Eklund Löwinder
Kvalitets- och säkerhetschef
.SE (Stiftelsen för Internetinfrastruktur)
Adress: Ringvägen 100
Postadress: Box 7399, 103 91 Stockholm
Växel: 08-452 35 00
Direkt: 08-452 35 17
Mobil: 0734-31 53 10
E-post: anne-marie.eklund-lowinder(a)iis.se
Webbplats: http://www.iis.se
.SE has performed a DNSSEC KSK key roll over. The KSK for 2009-2010 with key id = 8779 is no longer valid.
This is only of concern to those who for some reason don’t validate DNSSEC with the root key.
Our recommendation is to only use the root key as a trust anchor (TA). If you still choose to use .SE as TA, you must configure the key for 2011-2012 (key id = 7649) in you resolver no later than 2011-12-31.
A text file with valid keys is available at https://www.iis.se/docs/ksk.txt
Questions may be addressed to dnssec-info(a)iis.se.
Kind regards,
Anne-Marie Eklund Löwinder
Quality & Security Manager
.SE (The Internet Infrastructure Foundation), PO Box 7399, SE-103 91 Stockholm, Sweden
Phone: +46 (0)8-452 35 00/17
Mobile: +46 (0)734 315 310
E-mail: anne-marie.eklund-lowinder(a)iis.se
Web: http://www.iis.se
For your information.
Kind regards,
Anne-Marie Eklund Löwinder
Quality & Security Manager
.SE (The Internet Infrastructure Foundation), PO Box 7399, SE-103 91 Stockholm, Sweden
Phone: +46 (0)8-452 35 00/17
Mobile: +46 (0)734 315 310
E-mail: anne-marie.eklund-lowinder(a)iis.se
Web: http://www.iis.se
> -----Ursprungligt meddelande-----
> Från: dnssec-deployment-bounces(a)dnssec-deployment.org [mailto:dnssec-
> deployment-bounces(a)dnssec-deployment.org] För Rickard Bellgrim
> Skickat: den 12 januari 2011 08:37
> Till: DNSSEC deployment
> Ämne: [Dnssec-deployment] A Review of Hardware Security Modules
>
> Hi
>
> We would like to present the report "A Review of Hardware Security
> Modules" that was published today.
>
> This report describes a technical review of four leading network based
> Hardware Security Modules performed during the fall of 2010. When
> deriving the review point set the focus was primarily on security
> features and functionality used for DNSSEC applications. However the
> more interesting findings were in different areas such as usability and
> management procedures.
>
> Generally all the modules work as expected and offer the necessary
> functionality one needs from a secure crypto processor. Which HSM to
> choose depends on budget, the deployment scenario, performance
> requirements and other application specific facts. From an application
> perspective the PKCS#11 interface worked exemplary on all modules. Once
> set up we hardly experienced any problems with the interface. The only
> issue worth mentioning is the fact that we needed to execute several
> concurrent threads (for all modules) in order to achieve a decent HSM
> CPU load.
>
> There was high level of diversity in how features such as role
> structure, authorization models and key backup were implemented. A more
> standardized security and authorization model and nomenclature would
> have been favourable. Instead each vendor has chosen to integrate with
> the PKCS#11model in different fashions. An evolvement of the PKCS#11
> standard to incorporate more complex than smartcards would probably be
> advisable.
>
> When performing this review it would have been very helpful to have had
> access to best practise recommendations for setting up and configuring
> HSMs. Such a text could also document certain application areas and
> general deployment scenarios. At the moment the user is referred
> primarily to vendor specific whitepapers and presentations.
>
> You can read the full report here:
> http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-
> Hardware-Security-Modules-Fall-2010.pdf
>
> // OpenDNSSEC team