[Freeipa-devel] certmonger/oddjob for DNSSEC key maintenance
Dmitri Pal
dpal at redhat.com
Tue Aug 27 18:39:12 UTC 2013
On 08/09/2013 08:30 AM, Petr Spacek wrote:
> Hello,
>
> I would like to get opinions about key maintenance for DNSSEC.
>
> Problem summary:
> - FreeIPA will support DNSSEC
> - DNSSEC deployment requires <2,n> cryptographic keys for each DNS
> zone (i.e. objects in LDAP)
> - The same keys are shared by all FreeIPA servers
> - Keys have limited lifetime and have to be re-generated on monthly
> basics (in very first approximation, it will be configurable and the
> interval will differ for different key types)
> - The plan is to store keys in LDAP and let 'something' (i.e.
> certmonger or oddjob?) to generate and store the new keys back into LDAP
> - There are command line tools for key-generation (dnssec-keygen from
> the package bind-utils)
> - We plan to select one super-master which will handle regular
> key-regeneration (i.e. do the same as we do for special CA certificates)
> - Keys stored in LDAP will be encrypted somehow, most probably by some
> symmetric key shared among all IPA DNS servers
>
> Could certmonger or oddjob do key maintenance for us? I can imagine
> something like this:
> - watch some attributes in LDAP and wait until some key expires
> - run dnssec-keygen utility
> - read resulting keys and encrypt them with given 'master key'
> - store resulting blobs in LDAP
> - wait until another key reaches expiration timestamp
>
> It is simplified, because there will be multiple keys with different
> lifetimes, but the idea is the same. All the gory details are in the
> thread '[Freeipa-devel] DNSSEC support design considerations: key
> material handling':
> https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html
> https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html
>
> Nalin and others, what do you think? Is certmonger or oddjob the right
> place to do something like this?
>
> Thank you for your time!
>
Was there any discussion of this mail?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list