Oct 11 – 13, 2014
Hyatt Regency Century Plaza
US/Pacific timezone

Low-Cost Threshold Cryptography HSM for OpenDNSSEC

Oct 13, 2014, 11:50 AM
Westside (Hyatt Regency Century Plaza)


Hyatt Regency Century Plaza

2025 Avenue of the Stars Los Angeles California 90067 USA
Joint OARC/Tech Day Monday Joint OARC/Tech Day


Mr Francisco Cifuentes (NIC Chile Research Labs)


The DNS Security Extensions (DNSSEC) add a new layer of security based on public-key infrastructure: each DNS record is digitally signed to verify the authenticity of the answer. However, the introduction of DNSSEC has an impact in the operational workflow of DNS systems: (i) signatures have an expiration date, hence the records must be periodically signed and (ii) key management tasks can be overwhelming. These are problems specially for DNS zones with several records (for instance a Top Level Domain). The adoption of Hardware Security Module (HSM) is an option to provide highly secured keys and signature management. Nevertheless HSM is expensive and hardware can fail. We present a novel system based on threshold cryptography to support the operational signing workflow of DNSSEC. This approach significantly improves security and availability of the overall system since the secret key is never stored in a single place; it is spread among the nodes of the system.

Primary author

Mr Francisco Cifuentes (NIC Chile Research Labs)

Presentation materials