Feature Request; SmartCard, hardware token or HSM-support for KSK/ZSK?
Hi,
This is probably a bit of a long-term request, but hopefully it doesn't hurt to pitch the idea.
It's long been possible to use SmartCards with OpenSSL and similar.
Also, the price of entry-level hardware tokens (mini HSMs if you will) is dropping, and you can now get devices such as the NitroKey-HSM for €49. That's cheap enough to be a non-issue for most, even for hoppy/enthusiast-use.
Performance is also better than typical smartcard, listed as RSA2048 at 100/min, and ECDSA256 at 360/min.
This means that for a lot of organizations, it's now entirely possible to use smartcards for KSK, NitroKey-HSM for ZSK.
Even for larger setups, you could use NitroKey-HSM for KSK, and a dedicated machine with SoftHSM and Caml-Crush for ZSK, which I'm guessing would allow for significantly better performance.
Put in perspective, 100/min for RSA would allow for about a million ZSK-rotations pr. week in such a setup. (ZSK rotated, signed by KSK in hardware).
DNSSEC is not only being used for securing DNS itself, but also opens up to new applications such as DANE, not just for https, but also inter-domain email and PGP-key discovery.
I'm not sure what the proper flow for allowing such usage would be though, perhaps being able to use keymgr to specify a token-key to be used for a zone, or similar.