Root Zone KSK HSM Update

Kim Davies kim.davies at
Thu Apr 13 17:56:28 UTC 2023

Recently we became aware of a decision by the manufacturer of our hardware
security modules (HSMs) to cease production of the devices. Further, there is
no successor product as they are exiting that line of business[1].

The Keyper products we use were in part selected as they were the only viable
device that met FIPS 140-2 Level 4 certification, the highest certification
possible. They do not provide a function that would allow the private key to be
exported and imported into an alternative vendor’s device.

This news came after we announced last month that we are intending the generate
the next Root Zone KSK during our ceremony later this month. That key is planned
for production use from 2025-2029 approximately.

In light of the news of the HSMs, our plan is as follows:

* We are commencing a comprehensive analysis of the options available for
  KSK storage into the future. We understand that may involve adaptations
  to the security model, and once we’ve identified our preferred plan of
  action, we will consult on any implications of the new vendor selection.

* We plan to continue to generate the next KSK this year. We expect the need
  to switch HSMs may either alter the timeframe it is in production, or may
  pre-empt rolling to that key completely. However if we do not generate
  the next KSK, it limits the options available to us in the future.

* We are working with the vendor to ensure we have the best capability to
  continue to utilise the current HSMs for the next five years at least.
  This includes procuring additional spares and exploring options for
  reconditioning units with new batteries and the like.

We’re happy to answer any questions and we’ll keep you posted as circumstances
evolve. Obviously the HSM is at the heart of the security of the KSK so we will
be devoting significant resources to this development in the coming year.



Kim Davies
VP, IANA Services, ICANN
President, PTI

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the root-dnssec-announce mailing list