[Freeipa-devel] DNSSEC design page

Ludwig Krispenz lkrispen at redhat.com
Tue Feb 18 13:02:59 UTC 2014 

Hi,

yesterday jan asked me about the status of the schema and if it would be 
ready for certificate storage an dthat puzzled me a bit and showed that 
I still do not really understand what you want to store in LDAP.
Two me there are two very different approaches.

1] LDAP as store for high level objects like certs and keys
For certs and related stuff there is rfc4523 and the schema for ldif 
exists. For keys we would decide if the key is stored in PKCS#8 format 
or as bind keypairs and define a key attribute and that's it. we could 
export keys with softhsm, (eventually convert them) and add to ldap, in 
the long term solution the PKCS#11 replacemnt would need to manage these 
high level objects

2] low level replacement for eg the sqlite3 database in softhsm.
That's what I sometimes get the impression what is wanted. SoftHsm has 
one component Softdatabase with an API, which more or less passes sets 
of attributes (attributes defined by PKCS#11) and then stores it as 
records in sql where each record has a keytype and opaque blob of data. 
If that is what is wanted the decision would be how fingrained the pkcs 
objects/attribute types would have to be mapped to ldap: one ldap 
attribute for each possible attribute type ?

Ludwig


On 02/13/2014 06:36 PM, Petr Spacek wrote:
> Hello list,
>
> I would like to point you to design pages for DNSSEC feature:
>
> Zone signing:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
>
> Automatic key rotation:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm 
>
>
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm 
>
>
>
> You can ignore bind-dyndb-ldap specifics and think about interactions 
> with FreeIPA and SSSD.
>
> - We need to design LDAP schema for key storage (Ludwig is looking 
> into it).
> - We need to write PKCS#11 module on top of LDAP database.
> - We need to design key rotation on client side (SSSD? Certmonger?).
> - We need to design WebUI/CLI
> etc.
>
> Read sections 'External Impact' carefully :-)
>
> Have a nice day!
>

More information about the Freeipa-devel mailing list