[Freeipa-devel] certmonger/oddjob for DNSSEC key maintenance
Rob Crittenden
rcritten at redhat.com
Tue Aug 27 19:05:00 UTC 2013
Dmitri Pal wrote:
> On 08/09/2013 08:30 AM, Petr Spacek wrote:
>> Hello,
>>
>> I would like to get opinions about key maintenance for DNSSEC.
>>
>> Problem summary:
>> - FreeIPA will support DNSSEC
>> - DNSSEC deployment requires <2,n> cryptographic keys for each DNS
>> zone (i.e. objects in LDAP)
>> - The same keys are shared by all FreeIPA servers
>> - Keys have limited lifetime and have to be re-generated on monthly
>> basics (in very first approximation, it will be configurable and the
>> interval will differ for different key types)
>> - The plan is to store keys in LDAP and let 'something' (i.e.
>> certmonger or oddjob?) to generate and store the new keys back into LDAP
>> - There are command line tools for key-generation (dnssec-keygen from
>> the package bind-utils)
>> - We plan to select one super-master which will handle regular
>> key-regeneration (i.e. do the same as we do for special CA certificates)
>> - Keys stored in LDAP will be encrypted somehow, most probably by some
>> symmetric key shared among all IPA DNS servers
>>
>> Could certmonger or oddjob do key maintenance for us? I can imagine
>> something like this:
>> - watch some attributes in LDAP and wait until some key expires
>> - run dnssec-keygen utility
>> - read resulting keys and encrypt them with given 'master key'
>> - store resulting blobs in LDAP
>> - wait until another key reaches expiration timestamp
>>
>> It is simplified, because there will be multiple keys with different
>> lifetimes, but the idea is the same. All the gory details are in the
>> thread '[Freeipa-devel] DNSSEC support design considerations: key
>> material handling':
>> https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html
>> https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html
>>
>> Nalin and others, what do you think? Is certmonger or oddjob the right
>> place to do something like this?
>>
>> Thank you for your time!
>>
> Was there any discussion of this mail?
>
I think at least some of this was covered in another thread, "DNSSEC
support design considerations: key material handling" at
https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html
rob
More information about the Freeipa-devel
mailing list