[Freeipa-devel] certmonger/oddjob for DNSSEC key maintenance

[Petr Spacek]

Hello,

I would like to get opinions about key maintenance for DNSSEC.

Problem summary:
- FreeIPA will support DNSSEC
- DNSSEC deployment requires <2,n> cryptographic keys for each DNS zone (i.e. 
objects in LDAP)
- The same keys are shared by all FreeIPA servers
- Keys have limited lifetime and have to be re-generated on monthly basics (in 
very first approximation, it will be configurable and the interval will differ 
for different key types)
- The plan is to store keys in LDAP and let 'something' (i.e. certmonger or 
oddjob?) to generate and store the new keys back into LDAP
- There are command line tools for key-generation (dnssec-keygen from the 
package bind-utils)
- We plan to select one super-master which will handle regular 
key-regeneration (i.e. do the same as we do for special CA certificates)
- Keys stored in LDAP will be encrypted somehow, most probably by some 
symmetric key shared among all IPA DNS servers

Could certmonger or oddjob do key maintenance for us? I can imagine something 
like this:
- watch some attributes in LDAP and wait until some key expires
- run dnssec-keygen utility
- read resulting keys and encrypt them with given 'master key'
- store resulting blobs in LDAP
- wait until another key reaches expiration timestamp

It is simplified, because there will be multiple keys with different 
lifetimes, but the idea is the same. All the gory details are in the thread 
'[Freeipa-devel] DNSSEC support design considerations: key material handling':
https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html
https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html

Nalin and others, what do you think? Is certmonger or oddjob the right place 
to do something like this?

Thank you for your time!

-- 
Petr^2 Spacek