[Freeipa-devel] DNSSEC design page

Petr Spacek pspacek at redhat.com
Fri Feb 14 11:37:24 UTC 2014


On 14.2.2014 12:27, Jan Cholasta wrote:
> On 14.2.2014 12:08, Petr Spacek wrote:
>> On 14.2.2014 11:03, Jan Cholasta wrote:
>>> On 13.2.2014 18:36, Petr Spacek wrote:
>>>> Hello list,
>>>>
>>>> I would like to point you to design pages for DNSSEC feature:
>>>>
>>>> Zone signing:
>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
>>>>
>>>> Automatic key rotation:
>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> You can ignore bind-dyndb-ldap specifics and think about interactions
>>>> with FreeIPA and SSSD.
>>>>
>>>> - We need to design LDAP schema for key storage (Ludwig is looking into
>>>> it).
>>>
>>> Keep in mind the schema has to work with or be extensible enough for
>>> other
>>> uses as well, ATM at least IPA CA certificate storage.
>>
>> Feel free to extend the design page as necessary. May be that we should
>> create separate design page specifically for this PKCS#11 module.
>
> +1

Will you create the design page? I have enjoyed it with DNSSEC and now I would 
like to spend some time with coding ... :-)

http://www.freeipa.org/page/Feature_template

>> In fact, it is not related to DNSSEC at all. We just need to add some
>> DNSSEC-specific meta data to keys, nothing else.
>
> My point exactly.
>
>>
>>> IMO the easiest (from the PKCS#11 module writing perspective) way to
>>> do it
>>> would be to map PKCS#11 object classes and attributes directly to LDAP
>>> object
>>> classes and attributes, but that might be too much low-level for us.
>>>
>>>> - We need to write PKCS#11 module on top of LDAP database.
>>>
>>> SSSD.
>>>
>>>> - We need to design key rotation on client side (SSSD? Certmonger?).
>>>
>>> Also SSSD.
>>>
>>> I thought we already agreed on that last week?
>>
>> Last idea I have heard was about certmonger - Dmitri thought that
>> Certmonger already have all the necessary logic.
>
> It does not, for starters there is no LDAP or caching. If anything, it might
> be a combination of both, but I think that's more relevant to CA certificate
> rotation than DNSSEC.
>
>>
>> In any case, nothing is set in stone. We have to discuss pros and cons
>> and then decide.
>
> Obviously :-)
>
>>
>> Keep in mind that we have to support key rotation even if the key was
>> compromised ... (Fallback from RFC 5011 to Kerberos+LDAP or something
>> like that.)
>
> I don't see how this gives advantage to either SSSD or certmonger.

Sure, I'm just pointing it out so we are all aware of this problem.

>>>> - We need to design WebUI/CLI
>>>> etc.
>>>>
>>>> Read sections 'External Impact' carefully :-)
>>>>
>>>> Have a nice day!

-- 
Petr^2 Spacek




More information about the Freeipa-devel mailing list