[Freeipa-devel] DNSSEC design page: key wrapping
Martin Kosek
mkosek at redhat.com
Wed Mar 5 15:29:20 UTC 2014
On 03/05/2014 03:04 PM, Simo Sorce wrote:
> On Wed, 2014-03-05 at 13:05 +0100, Martin Kosek wrote:
>> On 03/04/2014 11:14 PM, Petr Spacek wrote:
>>> On 4.3.2014 22:53, Simo Sorce wrote:
>>>> On Tue, 2014-03-04 at 22:38 +0100, Petr Spacek wrote:
>>>>> On 4.3.2014 22:15, Simo Sorce wrote:
>>>>>> On Tue, 2014-03-04 at 21:25 +0100, Petr Spacek wrote:
>> ...
>>>> I guess my only reservation is about whether DRM storage is replicated
>>>> or not. Although both the K/M and DNS cases do not require the Vault to
>>>> be online at all times because the keys will be downloaded and stored
>>>> locally and only needs to be accessed when they changed, there is the
>>>> problem of having all keys in a SPOF, that should not happen.
>>> According to http://www.freeipa.org/page/V4/Password_Vault#Replication the
>>> replication is available for DRM, we just need to use it.
>>>
>>> IMHO a vault without replication is not useful anyway. Users are not happy when
>>> their passwords disappear ;-)
>>>
>>>> The additional thing about the Vault is that we can use key escrow there
>>>> as a mechanism to re-encrypt automatically system relevant keys when a
>>>> new server is joined to the realm.
>>> So we agree that Vault offers what we want so we should use it, right?
>>>
>>> I think we should determine if we can use Vault for K/M. It would be another
>>> reason why we should use Vault instead of a custom solution.
>>>
>>
>> Do we really want to use the heavy machinery Vault for DNSSEC keys? I would
>> personally like to avoid it and use something more lightweight.
>>
>> Vault seems to me as a too heavy requirement for FreeIPA server with DNS. It
>> needs Tomcat and all the Java machinery, special installation, replication
>> scheme, difficult debugging etc. In my mind, Vault is a specialized heavy
>> component that solves specific problems that not every admin may want and thus
>> may cause a lot of grief to such admins who just want CA-less FreeIPA and DNS(SEC).
>
> Well keep in mind that you do not need a vault instance on every DNS
> server, just like a CA a few servers would be sufficient. DNS key
> rotation happens relatively 'rarely' so the dependency is not a huge
> problem in terms of performance or management. There is the problem of
> the heavyweight java-based infrastructure, but we already have that
> dependency for the CA part, so it's not like we are adding anything new.
Yeah, but the plan is not force people to have the heavy weight Java
infrastructure on each server so that they are able to create more lightweight
servers only with components they choose:
https://fedorahosted.org/freeipa/ticket/4058
Martin
More information about the Freeipa-devel
mailing list