[Freeipa-devel] LDAP schema for DNSSEC keys
Jan Cholasta
jcholast at redhat.com
Tue Jul 29 09:49:06 UTC 2014
Dne 29.7.2014 v 08:56 Simo Sorce napsal(a):
> On Tue, 2014-07-29 at 08:46 +0200, Jan Cholasta wrote:
>> Dne 28.7.2014 v 11:04 Simo Sorce napsal(a):
>>> On Fri, 2014-07-25 at 19:26 +0200, Petr Spacek wrote:
>>>>
>>>> I have updated design page and diagrams:
>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#LDAPschema
>>>
>>> Excellent page, I took a full read and it all seem reasonable.
>>>
>>> However I would like a page like this with the detailed summary of key
>>> material handling.
>>>
>>> This is important to get right and have documented anyway so if someone
>>> could summarize in detail all the key handling I would be happy to do a
>>> detailed review and think carefully about the security stance of the
>>> final solution we agreed on. If we can do this early it would be better
>>> to avoid costly rewrites should we have forgotten/underestimated some
>>> implementation detail that requires changes.
>>>
>>> Simo.
>>>
>>
>> Do you need more detail than
>> <https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Keydistribution>?
>
> It's almost there but the wraping/unwrapping steps are a bit handwavy.
>
> I would like more details on algorithms we are going to use and exactly
> what parts do the wrapping and unwrapping. For example we say all these
> operations happen in SoftHSM at the start, but then the steps that
> describe how these keys are inserted into or extracted from SoftHSM are
> vague enough they can be interpreted as these operations are being
> performed outside of SoftHSM. It should be made much clearer exactly
> what component on the system will perform each and any of the key
> (un)wrapping operations and with which keys and algorithms.
>
> Simo.
>
I don't think I'm authorized to edit bind-dyndb-ldap wiki, so I'm going
to comment the steps from the link above here:
> First server installation (replica1)
>
> This operation needs to be detected and guarded so only one replica will become DNSSEC master. It can be done by writing who is DNSSEC master to cn=masters.
>
> 1. Generate symmetric "master key" for DNSSEC
The master key is generated on the token by C_GenerateKey call using the
CKM_AES_KEY_GEN mechanism, it is 128b AES, it can be used for wrapping
and unwrapping keys, it can be extracted from the token by wrapping, but
not in plaintext.
>
> 2. Generate replica key pair:
The replica key pair is generated on the token by C_GenerateKeyPair call
using the CKM_RSA_PKCS_KEY_PAIR_GEN mechanism, it is 2048b RSA, the
public part can be used for wrapping keys and can be extracted from the
token in plaintext, the private part can be used for unwrapping keys and
can't be extracted from the token.
>
> * Store public key to LDAP: cn=DNS,cn=<replica FQDN>,cn=masters,cn=ipa,cn=etc,dc=example sub-tree in LDAP.
>
> * Store private key to SoftHSM (on disk).
This is already achieved above by generating the replica key pair on the
token.
>
> 3. Wrap master key with replica key:
The master key is wrapped on the token by C_WrapKey using the
CKM_RSA_PKCS mechanism and the replica public key as the wrapping key.
>
> * Store resulting blob in cn=master, cn=keys, cn=sec, cn=dns, dc=example sub-tree in LDAP.
>
>
> Replica installation (replica2)
>
> This is done by ipa-replica-install:
>
> 1. Generate replica key pair:
The replica key pair is generated in the same manner as in first server
installation.
>
> 2. Store public key to LDAP: cn=DNS,cn=<replica FQDN>,cn=masters,cn=ipa,cn=etc,dc=example sub-tree in LDAP.
>
> 3. Store private key in SoftHSM (on disk).
This is already achieved above by generating the replica key pair on the
token.
>
> This is done by little daemon running on replica 1:
>
> 1. DNSSEC master-replica will detect (SyncRepl) a new public key in cn=masters sub-tree and will use own private key (replica1's) to re-encrypt master key using public key of the new replica (replica2)
The master key is wrapped in the same manner as in first server
installation.
>
> 2. Store resulting master-key-blob to cn=master, cn=keys, cn=sec, cn=dns, dc=example sub-tree in LDAP.
>
> This is done by little daemon running on replica 2:
>
> 1. Download blob with master key from LDAP.
The master key is rotated when a replica is deleted, so there may be
more than one master keys in LDAP, but there will be only one which is
allowed to wrap keys. This particular master key is downloaded in this step.
>
> 2. Unwrap blob with replica2's private key.
The master key is unwrapped on the token by C_UnwrapKey call using
CKM_RSA_PKCS mechanism with the replica private key as the unwrapping
key, it can be used for wrapping and unwrapping keys, it can be
extracted from the token by wrapping, but not in plaintext.
>
> 3. Store raw master key to local SoftHSM.
This is already achieved above by unwrapping the master key on the token.
>
>
> Replica uninstallation (replica2)
>
> NOTE: replica1 cannot be uninstalled at the moment. Support for this scenario requires more work.
>
> NOTE: Old master keys remain in LDAP and old DNSSEC keys are not touched at all. After all, all keys used before replica removal are on replica2's disk anyway.
>
> This step is done by ipa-replica-manage:
>
> 1. Delete replica entry in cn=masters.
>
> All operations with keys are done by little daemon running on replica1:
>
> 1. Detect that replica2's public key was deleted and initiate master key rotation.
>
> 2. Generate a new master key.
The master key is generated in the same manner as in first server
installation. After the new master key is generated, wrapping keys using
the old master key is disabled.
>
> 3. Wrap new master key with all currently published replica-public keys (from cn=masters) and store it to LDAP
The master key is wrapped in the same manner as in first server
installation.
>
>
> DNSSEC key generation (replica1)
>
> Key wrapping is done only by replica1 which is running OpenDNSSEC Enforcer daemon.
>
> 1. Let OpenDNSSEC Enforcer to generate a key according to time schedule. (OpenDNSSEC Enforcer calls OpenDNSSEC Signer daemon which is replaced by our script.)
OpenDNSSEC generates a key pair on the token by C_GenerateKeyPair call,
the details are OpenDNSSEC-specific, the private part can be extracted
from the token by wrapping, but not in plaintext.
>
> 2. Wrap DNSSEC key with newest master key (stored in local SoftHSM) and store resulting blob to cn=keys, cn=sec, cn=dns.
The private key is wrapped on the token by C_WrapKey call using the
CKM_AES_KEY_WRAP_PAD mechanism and the current master key as the
wrapping key.
>
> 3. Store key metadata to cn=keys, idnsname=example.net, cn=dns
>
>
> DNSSEC key unwrapping (replica2)
>
> This is done by little daemons running on all replicas with DNS.
>
> 1. Detect a new key in LDAP (SyncRepl).
>
> 2. Download blob from LDAP.
>
> 3. Unwrap blob with master key described by ipaWrappingKey attribute.
The private key is unwrapped on the token by C_UnwrapKey call using the
CKM_AES_KEY_WRAP_PAD mechanism and the master key specified by
ipaWrappingKey as the unwrapping key, the private part can be extracted
from the token by wrapping, but not in plaintext.
>
> 4. Store raw DNSSEC key in local SoftHSM.
This is already achieved above by unwrapping the private key on the token.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list