Root Zone KSK HSM Update

13 April 2023

Recently IANA became aware of a decision by the manufacturer of our hardware security modules (HSMs) to cease production of the devices. Further, there is no successor product as they are exiting that line of business.

The Keyper products we use were in part selected as they were the only viable device that met FIPS 140-2 Level 4 certification, the highest certification possible. They do not provide a function that would allow the private key to be exported and imported into an alternative vendor’s device.

This news came after we announced last month that we are intending the generate the next Root Zone KSK during our ceremony later this month. That key is planned for production use from 2025-2029 approximately.

In light of the news of the HSMs, our plan is as follows:

  • We are commencing a comprehensive analysis of the options available for KSK storage into the future. We understand that may involve adaptations to the security model, and once we’ve identified our preferred plan of action, we will consult on any implications of the new vendor selection.

  • We plan to continue to generate the next KSK this year. We expect the need to switch HSMs may either alter the timeframe it is in production, or may pre-empt rolling to that key completely. However if we do not generate the next KSK, it limits the options available to us in the future.

  • We are working with the vendor to ensure we have the best capability to continue to utilise the current HSMs for the next five years at least. This includes procuring additional spares and exploring options for reconditioning units with new batteries and the like.

We’re happy to answer any questions and we’ll keep you posted as circumstances evolve. Obviously the HSM is at the heart of the security of the KSK so we will be devoting significant resources to this development in the coming year.

https://mm.icann.org/pipermail/root-dnssec-announce/2023/000157.html