[Freeipa-devel] certmonger/oddjob for DNSSEC key maintenance
Dmitri Pal
dpal at redhat.com
Tue Aug 27 21:08:55 UTC 2013
On 08/27/2013 03:05 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 08/09/2013 08:30 AM, Petr Spacek wrote:
>>> Hello,
>>>
>>> I would like to get opinions about key maintenance for DNSSEC.
>>>
>>> Problem summary:
>>> - FreeIPA will support DNSSEC
>>> - DNSSEC deployment requires <2,n> cryptographic keys for each DNS
>>> zone (i.e. objects in LDAP)
>>> - The same keys are shared by all FreeIPA servers
>>> - Keys have limited lifetime and have to be re-generated on monthly
>>> basics (in very first approximation, it will be configurable and the
>>> interval will differ for different key types)
>>> - The plan is to store keys in LDAP and let 'something' (i.e.
>>> certmonger or oddjob?) to generate and store the new keys back into
>>> LDAP
>>> - There are command line tools for key-generation (dnssec-keygen from
>>> the package bind-utils)
>>> - We plan to select one super-master which will handle regular
>>> key-regeneration (i.e. do the same as we do for special CA
>>> certificates)
>>> - Keys stored in LDAP will be encrypted somehow, most probably by some
>>> symmetric key shared among all IPA DNS servers
>>>
>>> Could certmonger or oddjob do key maintenance for us? I can imagine
>>> something like this:
>>> - watch some attributes in LDAP and wait until some key expires
>>> - run dnssec-keygen utility
>>> - read resulting keys and encrypt them with given 'master key'
>>> - store resulting blobs in LDAP
>>> - wait until another key reaches expiration timestamp
>>>
>>> It is simplified, because there will be multiple keys with different
>>> lifetimes, but the idea is the same. All the gory details are in the
>>> thread '[Freeipa-devel] DNSSEC support design considerations: key
>>> material handling':
>>> https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html
>>> https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html
>>>
>>> Nalin and others, what do you think? Is certmonger or oddjob the right
>>> place to do something like this?
>>>
>>> Thank you for your time!
>>>
>> Was there any discussion of this mail?
>>
>
> I think at least some of this was covered in another thread, "DNSSEC
> support design considerations: key material handling" at
> https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html
>
> rob
>
>
Yes, I have found that thread though I have not found it to come to some
conclusion and a firm plan.
I will leave to Petr to summarize outstanding issues and repost them.
BTW I like the idea of masters being responsible for generating a subset
of the keys as Loris suggested.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list