[Freeipa-devel] DNSSEC feature status (with pictures!)
Petr Spacek
pspacek at redhat.com
Fri Jul 25 17:43:07 UTC 2014
Hello list,
Now you have unique chance to stop me before I really implement something
(:-), I'm leaving DNSSEC world for a while. I will resume work after two weeks
of silence.
Status
======
We (Martin Basti and me) have encountered various problems on our way to
DNSSEC feature, you can read the summary:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Implementation
All necessary patches were submitted upstream. Now we need to really write
IPA-code.
Design page
===========
Design have changed many times so I have drawn new high-level picture for you:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Design
This page also describes work flows related to replica management etc. It
would be really nice if someone could review the whole design - some aspects
have changed significantly.
Proof of concept code
=====================
(described on design page; for adventurous or archaeologists)
https://github.com/spacekpe/openssl/tree/aes_wrap_pad
https://github.com/spacekpe/ipadnssecd
https://github.com/spacekpe/python-ldap
https://github.com/spacekpe/SoftHSMv2/tree/asym_wrap_api
https://github.com/spacekpe/SoftHSMv2/tree/asym_wrap.sq
https://github.com/spacekpe/SoftHSMv2/tree/cka_sensitive
https://github.com/spacekpe/opendnssec/tree/cka_extractable
https://github.com/spacekpe/freeipa-pkcs11
https://github.com/spacekpe/dnspython/commits/DNSKEY.flags_to_text_set
Have a nice day(s).
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list