Do the people who hold the root DNS keys do anything like this? Or is that too much complexity when a safe in a secure room works as an effective backup?
Do the people who hold the root DNS keys do anything like this? Or is that too much complexity when a safe in a secure room works as an effective backup?
They do something similar. Basically 5 people are needed in order to access the dns root keys plus some extra administrative/witness people. 3 Crypto Officers with smartcards to unlock the hsm, 2 other officials to unlock the vault that contains the hsm and the vault that contains safety deposit boxes with the smartcards. There are 7 crypto officers, of which any three will do.
https://www.cloudflare.com/learning/dns/dnssec/root-signing-...