[Freeipa-devel] DNSSEC design page
Jan Cholasta
jcholast at redhat.com
Fri Feb 14 10:03:24 UTC 2014
Hi,
On 13.2.2014 18:36, Petr Spacek wrote:
> Hello list,
>
> I would like to point you to design pages for DNSSEC feature:
>
> Zone signing:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
>
> Automatic key rotation:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
>
>
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm
>
>
>
> You can ignore bind-dyndb-ldap specifics and think about interactions
> with FreeIPA and SSSD.
>
> - We need to design LDAP schema for key storage (Ludwig is looking into
> it).
Keep in mind the schema has to work with or be extensible enough for
other uses as well, ATM at least IPA CA certificate storage.
IMO the easiest (from the PKCS#11 module writing perspective) way to do
it would be to map PKCS#11 object classes and attributes directly to
LDAP object classes and attributes, but that might be too much low-level
for us.
> - We need to write PKCS#11 module on top of LDAP database.
SSSD.
> - We need to design key rotation on client side (SSSD? Certmonger?).
Also SSSD.
I thought we already agreed on that last week?
> - We need to design WebUI/CLI
> etc.
>
> Read sections 'External Impact' carefully :-)
>
> Have a nice day!
>
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list