[Freeipa-devel] DNSSEC design page

Jan Cholasta jcholast at redhat.com
Fri Feb 14 11:27:45 UTC 2014 

On 14.2.2014 12:08, Petr Spacek wrote:
> On 14.2.2014 11:03, Jan Cholasta wrote:
>> On 13.2.2014 18:36, Petr Spacek wrote:
>>> Hello list,
>>>
>>> I would like to point you to design pages for DNSSEC feature:
>>>
>>> Zone signing:
>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
>>>
>>> Automatic key rotation:
>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
>>>
>>>
>>>
>>>
>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm
>>>
>>>
>>>
>>>
>>> You can ignore bind-dyndb-ldap specifics and think about interactions
>>> with FreeIPA and SSSD.
>>>
>>> - We need to design LDAP schema for key storage (Ludwig is looking into
>>> it).
>>
>> Keep in mind the schema has to work with or be extensible enough for
>> other
>> uses as well, ATM at least IPA CA certificate storage.
>
> Feel free to extend the design page as necessary. May be that we should
> create separate design page specifically for this PKCS#11 module.

+1

>
> In fact, it is not related to DNSSEC at all. We just need to add some
> DNSSEC-specific meta data to keys, nothing else.

My point exactly.

>
>> IMO the easiest (from the PKCS#11 module writing perspective) way to
>> do it
>> would be to map PKCS#11 object classes and attributes directly to LDAP
>> object
>> classes and attributes, but that might be too much low-level for us.
>>
>>> - We need to write PKCS#11 module on top of LDAP database.
>>
>> SSSD.
>>
>>> - We need to design key rotation on client side (SSSD? Certmonger?).
>>
>> Also SSSD.
>>
>> I thought we already agreed on that last week?
>
> Last idea I have heard was about certmonger - Dmitri thought that
> Certmonger already have all the necessary logic.

It does not, for starters there is no LDAP or caching. If anything, it 
might be a combination of both, but I think that's more relevant to CA 
certificate rotation than DNSSEC.

>
> In any case, nothing is set in stone. We have to discuss pros and cons
> and then decide.

Obviously :-)

>
> Keep in mind that we have to support key rotation even if the key was
> compromised ... (Fallback from RFC 5011 to Kerberos+LDAP or something
> like that.)

I don't see how this gives advantage to either SSSD or certmonger.

>
>>> - We need to design WebUI/CLI
>>> etc.
>>>
>>> Read sections 'External Impact' carefully :-)
>>>
>>> Have a nice day!
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list