11-13 October 2014
Hyatt Regency Century Plaza
US/Pacific timezone
Home > Timetable > Session details > Contribution details


Hyatt Regency Century Plaza - Westside
Joint OARC/Tech Day

Low-Cost Threshold Cryptography HSM for OpenDNSSEC


  • Mr. Francisco CIFUENTES

Primary authors

Abstract content

The DNS Security Extensions (DNSSEC) add a new layer of security based on public-key infrastructure: each DNS record is digitally signed to verify the authenticity of the answer. However, the introduction of DNSSEC has an impact in the operational workflow of DNS systems: (i) signatures have an expiration date, hence the records must be periodically signed and (ii) key management tasks can be overwhelming. These are problems specially for DNS zones with several records (for instance a Top Level Domain). The adoption of Hardware Security Module (HSM) is an option to provide highly secured keys and signature management. Nevertheless HSM is expensive and hardware can fail. We present a novel system based on threshold cryptography to support the operational signing workflow of DNSSEC. This approach significantly improves security and availability of the overall system since the secret key is never stored in a single place; it is spread among the nodes of the system.