[Freeipa-devel] DNSSEC support design considerations: key material handling
Petr Spacek
pspacek at redhat.com
Tue Jul 23 08:55:05 UTC 2013
On 19.7.2013 19:55, Simo Sorce wrote:
> I will reply to the rest of the message later if necessary, still
> digesting some of your answers, but I wanted to address the following
> first.
>
> On Fri, 2013-07-19 at 18:29 +0200, Petr Spacek wrote:
>>
>> The most important question at the moment is "What can we postpone?
>> How
>> fragile it can be for shipping it as part of Fedora 20?" Could we
>> declare
>> DNSSEC support as "technology preview"/"don't use it for anything
>> serious"?
>
> Until we figur out proper management in LDAP we will be a bit stuck, esp
> if we want to consider usin the 'somthing' that stores keys instead of
> toring them stright in LDAP.
>
> So maybe we can start with allowing just one server to do DNSSEC and
> source keys from files for now ?
The problem is that DNSSEC deployment *on single domain* is 'all or nothing':
All DNS servers have to support DNSSEC otherwise the validation on client side
can fail randomly.
Note that *parent* zone indicates that the particular child zone is secured
with DNSSEC by sending DS (delegation signer) record to the client. Validation
will fail if client receives DS record from the parent but no signatures are
present in data from 'child' zone itself.
This prevents downgrade (DNSSEC => plain DNS) attacks.
As a result, we have only two options: One DNS server with DNSSEC enabled or
arbitrary number DNS servers without DNSSEC, which is very unfortunate.
> as soon as we have that workign we should also have clearer plans about
> how we manage keys in LDAP (or elsewhere).
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list