Case Study: SURFnet achieves secure DNSSEC key management and protection of thousands of DNS zones with Thales Luna HSMs

SURFnet Selects Thales Luna HSMs to Secure DNSSEC Material

SURFnet, the national computer network for higher education and research in the Netherlands, needed to protect DNSSEC private key material across a large constituency of universities, hospitals, research institutes and libraries to guard against cache poisoning, man‑in‑the‑middle attacks, e‑mail rerouting and other DNS vulnerabilities. Seeking a standards‑based, PKCS#11‑compatible solution that worked with OpenDNSSEC and offered strong support and reputation, SURFnet selected Thales and its Luna HSMs to secure its DNS infrastructure.

Thales deployed Luna HSMs in a high‑availability, standards‑compliant configuration, integrating with OpenDNSSEC and centralizing key generation, distribution, rotation, storage, archival and termination. The solution offloaded cryptographic processing from application servers, hardened key storage, and streamlined administration—safeguarding thousands of DNS zones, improving performance and scalability for SURFnet’s large constituency, and reducing the operational risk of keys stored on insecure platforms.

SURFnet

Roland van Rijswijk

Innovator Internet Security