[Freeipa-devel] LDAP schema for DNSSEC keys

Petr Spacek pspacek at redhat.com
Thu Jun 12 14:23:49 UTC 2014 

On 30.4.2014 18:19, Petr Spacek wrote:
> following text summarizes schema & DIT layout for DNSSEC key storage in LDAP.

I have added object classes and default values for attributes I consider 
important. This is final proposal for implementation. Please review it ASAP.

> This is subset of full PKCS#11 schema [0]. It stores bare keys with few
> metadata attributes when necessary.
>
> The intention is to make transition to full PKCS#11-in-LDAP schema [0] as easy
> as possible. This transition should happen in next minor version of FreeIPA.
>
> In theory, the transition should be just adding few object classes to existing
> objects and populating few new metadata attributes. Related object classes are
> marked below with "(in long-term)".
>
> Please comment on it soon. We want to implement it ASAP :-)
>
>
> DNSSEC key
> ==========
> - Asymmetric
> - Private key is stored in LDAP as encrypted PKCS#8 blob
> - Public key is published in LDAP
> - Encrypted with symmetric "DNSSEC master key" (see below)
> - Private key - represented as LDAP object with object classes:
> ipaEPrivateKey  [1] # encrypted data
> ipaWrappedKey   [2] # pointer to master key, outside scope of pure PKCS#11
> ipk11PrivateKey [3] (in long-term) # PKCS#11 metadata
> - Public key - represented as LDAP object with object classes:
> ipaPublicKey    [1] # public key data
> ipk11PublicKey  [3] (in long-term) # PKCS#11 metadata
>
>
> Master key
> ==========
> - Symmetric
> - Stored in LDAP as encrypted blob
> - Encrypted with asymmetric "replica key" (see below)
> - 1 replica = 1 blob, n replicas = n blobs encrypted with different keys
> - A replica uses it's own key for master key en/decryption
> - Represented as LDAP object with object classes:
> ipaESecretKey  [1]
> ipk11SecretKey [3] (in long-term)
>
> Replica key
> ===========
> - Asymmetric
> - Private key is stored on replica's disk only
> - Public key for all replicas is stored in LDAP
> - Represented as LDAP object with object classes:
> ipaPublicKey   [1]
> ipk11PublicKey [3] (in long-term)
>
>
> DIT layout
> ==========
>   DNSSEC key material
>   -------------------
>   - Container: cn=keys, cn=sec, cn=dns, dc=example
>   - Private and public keys are stored as separate objects to accommodate all
> PKCS#11 metadata.
>   - We need to decide about object naming:
>    - One obvious option for RDN is to use uniqueID but I don't like it. It is
> hard to read for humans.
>    - Other option is to use uniqueID+PKCS#11 label or other attributes to make
> it more readable. Can we use multi-valued RDN? If not, why? What are technical
> reasons behind it?
>
> It is question if we like:
>   nsUniqID = 0b0b7e53-957d11e3-a51dc0e5-9a05ecda
>   nsUniqID = 8ae4190d-957a11e3-a51dc0e5-9a05ecda
> more than:
>   ipk11Label=meaningful_label+ipk11Private=TRUE
>   ipk11Label=meaningful_label+ipk11Private=FALSE

dn: ipk11Label=zone1_keyid123_public, cn=keys, cn=sec, cn=dns, dc=example
objectClass: ipk11Object
objectClass: ipk11PublicKey
objectClass: ipaPublicKeyObject
ipk11UniqueId: <UUID>
ipk11Label: zone1_keyid123_public
ipk11Wrap: FALSE
ipk11Verify: TRUE
ipaPublicKey: <public key>

dn: ipk11Label=zone1_keyid123_private, cn=keys, cn=sec, cn=dns, dc=example
objectClass: ipk11Object
objectClass: ipk11PrivateKey
objectClass: ipaPrivateKeyObject
objectClass: ipaWrappedKey
ipaWrappingKey:ipk11Label=dnssec_m1,cn=master,cn=keys,cn=sec,cn=dns,dc=example
ipk11Sign: TRUE
ipk11Decrypt: FALSE
ipk11Unwrap: FALSE
ipaPrivateKey: <blob encrypted with DNSSEC master key>


>   DNSSEC key metadata
>   -------------------
>   - Container (per-zone): cn=keys, idnsname=example.net, cn=dns
>   - Key metadata can be linked to key material via DN or ipk11Id.
>   - This allows key sharing between zones.
> (DNSSEC-metadata will be specified later. That is not important for key storage.)
This will be sorted out in separate thread.

>
>   Replica public keys
>   -------------------
>   - Container: cn=DNS,cn=<replica FQDN>,cn=masters,cn=ipa,cn=etc,dc=example
>    - or it's child object like cn=wrappingKey

- Please note that private part of this key is stored on disk.

dn: ipk11Label=wrapkey_replica1,cn=DNS,cn=<replica 
FQDN>,cn=masters,cn=ipa,cn=etc,dc=example
objectClass: ipk11Object
objectClass: ipk11PublicKey
objectClass: ipaPublicKeyObject
ipk11UniqueId: <UUID>
ipk11Label: wrapkey_replica1
ipk11Wrap: TRUE
ipk11Encrypt: FALSE
ipk11Verify: FALSE
ipaPublicKey: <public key>

>   Master keys
>   -----------
>   - Container: cn=master, cn=keys, cn=sec, cn=dns, dc=example
>   - Single key = single object.
>   - We can use ipk11Label or ipk11Id for naming:
>   ipk11Label=dnssecMaster1, ipk11Label=dnssecMaster2, etc.

dn: ipk11Label=dnssec_m1, cn=master, cn=keys, cn=sec, cn=dns, dc=example
objectClass: ipk11Object
objectClass: ipk11SecretKey
objectClass: ipaWrappedKey
objectClass: ipaSecretKeyObject
ipk11UniqueId: <UUID>
ipk11Label: dnssec_m1
ipk11Wrap: TRUE
ipk11UnWrap: TRUE
ipk11Encrypt: FALSE
ipk11Decrypt: FALSE
ipk11Sign: FALSE
ipk11Verify: FALSE
ipaWrappingAlgo: <algorithm used for key wrapping>
ipaSecretKeyWrappedData: <encrypted blob for replica-1>
ipaSecretKeyWrappedData: <encrypted blob for replica-2>
ipaWrappingKey: <DN of replica-1 public key>
ipaWrappingKey: <DN of replica-2 public key>

Petr^2 Spacek

> Work flows
> ==========
>   Read DNSSEC private key
>   -----------------------
>    1) read DNSSEC private key from LDAP
>    2) ipaWrappedKey objectClass is present - key is encrypted
>    3) read master key denoted by ipaWrappingKey attribute in DNSSEC key object
>    4) use local replica key to decrypt master key
>    5) use decrypted master key to decrypt DNSSEC private key
>
>   Add DNSSEC private key
>   ----------------------
>    1) use local replica key to decrypt master key
>    2) encrypt DNSSEC private key with master key
>    3) add ipaWrappingKey attribute pointing to master key
>    4) store encrypted blob in a new LDAP object
>
>   Add a replica
>   -------------
>   ipa-replica-prepare:
>    1) generate a new replica-key pair for the new replica
>    2) store key pair to replica-file (don't scream yet :-)
>    4) add public key for the new replica to LDAP
>    3) fetch master key from LDAP
>    4) encrypt master key with new replica public key
>    5) store resulting master key blob to LDAP
>   ipa-replica-install:
>    6) generate a new replica-key pair (!)
>    7) store new public key to LDAP
>    8) remove old public key (from replica-file) from LDAP
>    9) fetch master key
>   10) decrypt master key using old private key (from replica-file)
>   11) encrypt master key using new private key (generated locally)
>   12) replace old master key blob in LDAP with new blob (from step 11)
>
>   Delete a replica
>   ----------------
> This is the tricky part. New master key has to be generated on some other
> replica. What should we do if the ipa-replica-manage command was run on
> deleted replica?
>
> I propose to split replica master key roll-over to two phases:
>   Any machine in IPA domain (including to-be deleted replica):
>    1) Delete public key associated with replica from LDAP
>    2) Flip a bit in master key metadata and say "this key needs to be
> re-generated"
>       (Maybe we can disable ipk11Wrap boolean to indicate that this key should
> not be used for key wrapping.)
>
>   Remaining replicas:
>    3) Periodically check that master key is obsolete
>    4) Wait for (random period of time) to limit probability of collision
>    5) Check that master key is really obsolete and new one is not present
>    6) Generate a new master key
>    7) Encrypt new master key with all replica-public-keys stored in LDAP
>    8) Store new master key blobs to a new LDAP object
>       (Conflicts are not a problem up to now because we are not deleting old
> key. In worst case, we will have multiple new master keys.)
> *What should we do now?*
>    9) ??? Re-encrypt all DNSSEC keys with a new master key? (What if we have
> write conflict now?)
>       ??? Let old keys there and wait until key rotation mechanism replaces
> all old DNSSEC keys with new DNSSEC keys encrypted with a new master key (~
> one year)?
>   10) Old master key can be deleted when no other object is referencing to it.
>
>
> Congratulations to people who reached this line and didn't skip anything :-)
>
> [0] http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema
> [1] http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Encoded_key_data_2
> [2]
> http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#FreeIPA_specifics_-_key_wrapping
>
> [3] http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Storage_objects

More information about the Freeipa-devel mailing list