[Freeipa-devel] DNSSEC support design considerations: key material handling

Petr Spacek pspacek at redhat.com
Fri Aug 9 08:42:25 UTC 2013 

On 23.7.2013 10:55, Petr Spacek wrote:
> On 19.7.2013 19:55, Simo Sorce wrote:
>> I will reply to the rest of the message later if necessary, still
>> digesting some of your answers, but I wanted to address the following
>> first.
>>
>> On Fri, 2013-07-19 at 18:29 +0200, Petr Spacek wrote:
>>>
>>> The most important question at the moment is "What can we postpone?
>>> How
>>> fragile it can be for shipping it as part of Fedora 20?" Could we
>>> declare
>>> DNSSEC support as "technology preview"/"don't use it for anything
>>> serious"?
>>
>> Until we figur out proper management in LDAP we will be a bit stuck, esp
>> if we want to consider usin the 'somthing' that stores keys instead of
>> toring them stright in LDAP.
>>
>> So maybe we can start with allowing just one server to do DNSSEC and
>> source keys from files for now ?
>
> The problem is that DNSSEC deployment *on single domain* is 'all or nothing':
> All DNS servers have to support DNSSEC otherwise the validation on client side
> can fail randomly.
>
> Note that *parent* zone indicates that the particular child zone is secured
> with DNSSEC by sending DS (delegation signer) record to the client. Validation
> will fail if client receives DS record from the parent but no signatures are
> present in data from 'child' zone itself.
>
> This prevents downgrade (DNSSEC => plain DNS) attacks.
>
> As a result, we have only two options: One DNS server with DNSSEC enabled or
> arbitrary number DNS servers without DNSSEC, which is very unfortunate.
>
>> as soon as we have that workign we should also have clearer plans about
>> how we manage keys in LDAP (or elsewhere).

Dmitri, Martin and me discussed this proposal in person and the new plan is:
- Elect one super-master which will handle key generation (as we do with 
special CA certificates)
- Store generated DNSSEC keys in LDAP
- Encrypt stored keys with 'DNSSEC master key' shared by all servers
- Derive 'DNSSEC master key' from 'Kerberos master key' during server 
install/upgrade and store it somewhere on the filesystem (as the Kerberos 
master key, on each IPA server)
- Consider certmonger or oddjob as key generation triggers

I think that we should add one new thing - a 'salt' - used for Kerberos master 
key->DNSSEC master key derivation. It would allow us to re-generate DNSSEC 
master key as necessary without a change in the Kerberos master key.


Does it make sense? Does anybody have any ideas/recommendations which 
libraries we should use for key derivation and key material en/decryption?

Thank you for your time!

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list