[Freeipa-devel] DNSSEC design page

Dmitri Pal dpal at redhat.com
Fri Feb 14 19:57:01 UTC 2014 

On 02/14/2014 06:37 AM, Petr Spacek wrote:
> On 14.2.2014 12:27, Jan Cholasta wrote:
>> On 14.2.2014 12:08, Petr Spacek wrote:
>>> On 14.2.2014 11:03, Jan Cholasta wrote:
>>>> On 13.2.2014 18:36, Petr Spacek wrote:
>>>>> Hello list,
>>>>>
>>>>> I would like to point you to design pages for DNSSEC feature:
>>>>>
>>>>> Zone signing:
>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
>>>>>
>>>>> Automatic key rotation:
>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> You can ignore bind-dyndb-ldap specifics and think about interactions
>>>>> with FreeIPA and SSSD.
>>>>>
>>>>> - We need to design LDAP schema for key storage (Ludwig is looking 
>>>>> into
>>>>> it).
>>>>
>>>> Keep in mind the schema has to work with or be extensible enough for
>>>> other
>>>> uses as well, ATM at least IPA CA certificate storage.
>>>
>>> Feel free to extend the design page as necessary. May be that we should
>>> create separate design page specifically for this PKCS#11 module.
>>
>> +1
>
> Will you create the design page? I have enjoyed it with DNSSEC and now 
> I would like to spend some time with coding ... :-)
>
> http://www.freeipa.org/page/Feature_template
>
>>> In fact, it is not related to DNSSEC at all. We just need to add some
>>> DNSSEC-specific meta data to keys, nothing else.
>>
>> My point exactly.
>>
>>>
>>>> IMO the easiest (from the PKCS#11 module writing perspective) way to
>>>> do it
>>>> would be to map PKCS#11 object classes and attributes directly to LDAP
>>>> object
>>>> classes and attributes, but that might be too much low-level for us.
>>>>
>>>>> - We need to write PKCS#11 module on top of LDAP database.
>>>>
>>>> SSSD.
>>>>
>>>>> - We need to design key rotation on client side (SSSD? Certmonger?).
>>>>
>>>> Also SSSD.
>>>>
>>>> I thought we already agreed on that last week?
>>>
>>> Last idea I have heard was about certmonger - Dmitri thought that
>>> Certmonger already have all the necessary logic.
>>
>> It does not, for starters there is no LDAP or caching. If anything, 
>> it might
>> be a combination of both, but I think that's more relevant to CA 
>> certificate
>> rotation than DNSSEC.

I do not insist on certmonger.


>>
>>>
>>> In any case, nothing is set in stone. We have to discuss pros and cons
>>> and then decide.
>>
>> Obviously :-)
>>
>>>
>>> Keep in mind that we have to support key rotation even if the key was
>>> compromised ... (Fallback from RFC 5011 to Kerberos+LDAP or something
>>> like that.)
>>
>> I don't see how this gives advantage to either SSSD or certmonger.
>
> Sure, I'm just pointing it out so we are all aware of this problem.
>
>>>>> - We need to design WebUI/CLI
>>>>> etc.
>>>>>
>>>>> Read sections 'External Impact' carefully :-)
>>>>>
>>>>> Have a nice day!
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list