[Freeipa-devel] DNSSEC design page

[Petr Spacek]

On 14.2.2014 11:03, Jan Cholasta wrote:
> On 13.2.2014 18:36, Petr Spacek wrote:
>> Hello list,
>>
>> I would like to point you to design pages for DNSSEC feature:
>>
>> Zone signing:
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
>>
>> Automatic key rotation:
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
>>
>>
>>
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm
>>
>>
>>
>> You can ignore bind-dyndb-ldap specifics and think about interactions
>> with FreeIPA and SSSD.
>>
>> - We need to design LDAP schema for key storage (Ludwig is looking into
>> it).
>
> Keep in mind the schema has to work with or be extensible enough for other
> uses as well, ATM at least IPA CA certificate storage.

Feel free to extend the design page as necessary. May be that we should create 
separate design page specifically for this PKCS#11 module.

In fact, it is not related to DNSSEC at all. We just need to add some 
DNSSEC-specific meta data to keys, nothing else.

> IMO the easiest (from the PKCS#11 module writing perspective) way to do it
> would be to map PKCS#11 object classes and attributes directly to LDAP object
> classes and attributes, but that might be too much low-level for us.
>
>> - We need to write PKCS#11 module on top of LDAP database.
>
> SSSD.
>
>> - We need to design key rotation on client side (SSSD? Certmonger?).
>
> Also SSSD.
>
> I thought we already agreed on that last week?

Last idea I have heard was about certmonger - Dmitri thought that Certmonger 
already have all the necessary logic.

In any case, nothing is set in stone. We have to discuss pros and cons and 
then decide.

Keep in mind that we have to support key rotation even if the key was 
compromised ... (Fallback from RFC 5011 to Kerberos+LDAP or something like that.)

>> - We need to design WebUI/CLI
>> etc.
>>
>> Read sections 'External Impact' carefully :-)
>>
>> Have a nice day!

-- 
Petr^2 Spacek