image description

Protecting the Internet with Thales nShield HSMs

Thales hardware security modules (HSMs) enable top level domains (TLDs), registrars, registries and enterprises to secure critically important signing keys used to validate the integrity of DNSSEC responses across the Internet, and protect the DNS from what are commonly referred to as “cache poisoning” and “man-in-the-middle” attacks. This solution brief highlights the growing concern over the security of the DNS for both internal organizational intranets where the integrity of local DNS records is critical, as well as for external Internet-based transactions where trusted communications are vital for continued growth inelectronic commerce.


  • Ensure integrity of the DNSSEC validation process with independently certified HSMs (FIPS 140-2 Level 3 and Common Criteria EAL4+)
  • Maintain a robust tamper-resistant hardware boundary and a proven, auditable mechanism to protect valuable signing keys, even when archived
  • Enforce separation of duties through robust access controls to mitigate the threat of single “super users” and facilitate regulatory compliance
  • Achieve high availability and improved DNS server performance with unlimited key storage, secure backup