On 2011-04-05, at 21:34, Jay Daley wrote:
HSMs are expensive for a reason. $5k a unit entirely reasonable for that sort of specialised hardware. If much more than that, you should start asking questions.
Basic models start at around $15k and some suppliers go well north of that.
I've seen top-of-the-line, FIPS140-2 class 4-certified devices new for around USD 10k (and these are not devices you want to buy used, unless you get them reconditioned by a vendor, since you lose a documented chain of custody for the hardware which can make any tiered security policy built above it look like a waste of time). I realise you're talking about RSA performance here, but there is a good deal of knee-jerk "we need an HSM for security reasons" folklore spreading around the DNS community that I think needs to be damped down. DNSSEC signatures, as deployed by most people, have relatively short lifetimes (of the order of a week). This implies regular, automated re-signing of individual RRSets, which in turn implies an HSM which is on-line without requiring manual activation, at least for the ZSK. Some signer packages, e.g. OpenDNSSEC, don't support off-line KSK operation so in that case your KSK is on-line too. Hence, anybody who compromises your signers potentially has full ability to generate signatures using genuine keys. They don't have the ability to run off with the private key materials, but there are plenty of attack vectors where the ability to generate genuine signatures over bogus RRSets is sufficient (and in case of key compromise you can roll your ZSK on a sixpence anyway, and even the process through ICANN, NTIA and VeriSign to roll a DS RRSet in the root zone can be done in 48 hours). HSMs have their place, but I think it's a mistake to assume that they are necessary in order to maintain adequate security. An appropriate security policy involves a thorough threat analysis, and the results of that analysis might not always hinge on the use of cryptographic modules to store private keys -- in fact, the needless use of HSMs means greater operational complexity, additional hardware support burden, additional compatibility concerns and consequently reduced reliability. Security without reliability doesn't make much sense. With respect to performance, I think the realistic approach for provisioning purposes is to bear in mind that (a) even TLDs with extensive registrar/registrant DNSSEC uptake like CZ still don't see very high proportions of secure vs. insecure delegations, (b) insecure delegations (NS RRSets and associated glue) aren't signed in the parent zone, so zone size matters less than the number of secure delegations, (c) NSEC3 with opt-out avoids the signature burden of NSEC records, again scaling linearly with DNSSEC uptake by registrants, and (d) you can manage the signature load by imposing jitter on individual signature inception and expiry times to avoid having to do wholesale re-signing of the whole zone except in times of unusual system failure, at which point most bets are off anyway. Choosing crypto (accelerator) modules based on required performance to do a complete re-sign of the projected zone size in 5 years assuming 100% secure delegations might well serve no better in practice than a vastly lower-spec solution, given the rarity of that scenario. Joe