[Freeipa-devel] certmonger/oddjob for DNSSEC key maintenance
Petr Spacek
pspacek at redhat.com
Fri Aug 9 12:30:59 UTC 2013
Hello,
I would like to get opinions about key maintenance for DNSSEC.
Problem summary:
- FreeIPA will support DNSSEC
- DNSSEC deployment requires <2,n> cryptographic keys for each DNS zone (i.e.
objects in LDAP)
- The same keys are shared by all FreeIPA servers
- Keys have limited lifetime and have to be re-generated on monthly basics (in
very first approximation, it will be configurable and the interval will differ
for different key types)
- The plan is to store keys in LDAP and let 'something' (i.e. certmonger or
oddjob?) to generate and store the new keys back into LDAP
- There are command line tools for key-generation (dnssec-keygen from the
package bind-utils)
- We plan to select one super-master which will handle regular
key-regeneration (i.e. do the same as we do for special CA certificates)
- Keys stored in LDAP will be encrypted somehow, most probably by some
symmetric key shared among all IPA DNS servers
Could certmonger or oddjob do key maintenance for us? I can imagine something
like this:
- watch some attributes in LDAP and wait until some key expires
- run dnssec-keygen utility
- read resulting keys and encrypt them with given 'master key'
- store resulting blobs in LDAP
- wait until another key reaches expiration timestamp
It is simplified, because there will be multiple keys with different
lifetimes, but the idea is the same. All the gory details are in the thread
'[Freeipa-devel] DNSSEC support design considerations: key material handling':
https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html
https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html
Nalin and others, what do you think? Is certmonger or oddjob the right place
to do something like this?
Thank you for your time!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list