DNS has always been a very open protocol, defined by the IETF and implemented by several independent open and closed source projects.
At Internetstiftelsen we are committed to DNS, as it is the core of our business. Therefore, when the DNS was extended with the DNS Security Extensions (DNSSEC) we were the first registry to sign our Top Level Domain (TLD). Of course, security is an important part of the DNS Security Extensions, and to be able to guarantee the security of the digital keys we use for DNSSEC signing we use hardware security modules (HSM).
HSM's are not only expensive, but also very opaque products. We have no details on the implementations, so we have to trust the developers and the producers of said products. In addition, we also have to trust the government in the countries of the producers. That is a lot of trust, and if time has shown anything, it is that in matters of security, openness and knowledge beats trust.
This fact prompted some people to start the CrypTech project. CrypTechs goal is to produce the design and code for an open hardware and open source hardware security module. The project, however, does not aim to produce actual HSM hardware. Enter Diamond Key, an ISOC offspring, not-for-profit company. Its mission is to take the CrypTech design and produce an actual HSM product from it.
During the first half of 2018 Internetstiftelsen bought two HSM from Diamond Key. While waiting for the final product we have received two alpha boards, so that we could start trying the HSM's out. On the 18th and 19th of September 2018 we had the pleasure of having Michael and Dominique from Diamond Key over at our offices, helping us getting acquainted with the HSM's.
Usually, HSM's are accessed through an API called PKCS#11. Unfortunately BINDs support for PKCS#11 is very rudimentary. For some reason BIND needs a patched version of OpenSSL to be able to use PKCS#11 API calls for cryptography. During our workshop we actually did get BIND to work with the CrypTech alpha boards. But BIND is of course not the only DNS server. A relatively new DNS implementation is KnotDNS from CZ.NIC. IT used the GNU TLS library and after some confusion about names and URL encodings we got Knot DNS to generate keys and sign zones with help of our CrypTech boards with RSASHA256 (2048 bit key) and ECDSAP256SHA256. Last but not least we did sign zones with OpenDNSSEC and the CrypTech boards.
All in all, two days well spent, with many lessons learned.