[Freeipa-devel] DNSSEC key wrapping: cryptographer needed
Simo Sorce
simo at redhat.com
Tue Jun 24 14:14:10 UTC 2014
Tomas Mraz:
> On, 2014-06-23 at 14:57 +0200, Petr Spacek wrote:
> > We need to wrap
> > ===============
> > - asymmetric key (zone key) with symmetric key (master key)
> > - symmetric key (master key) with asymmetric key (replica key)
>
> Can you please provide more info what purpose these keys have? I
> understand that the zone key is the DNSSEC asymmetric key for the zone.
> But what about the master key and replica key? Why the master key is
> symmetric and the replica asymmetric?
What we want is the ability to store keys in LDAP so that multiple servers
can generate DNSSEC keys. This allows no single points of failure, and also
allows local servers to generate signatures for DNS names that may differ
from replica to replica in the future (think things like views).
In order to do that each DNS server need access to the Zone keys, but we do
not want to distribute the unencrypted in LDAP. We also do not want to have
to invent a parallel distribution method to send these keys to all the
replicas that need them.
We do have a private/public key pair on each replica though so we can use
this fact to wrap a symmetric master key with all the public keys of the
replicas that need access to the zone keys, and encrypt the zone keys with
this master key.
The reason to use a symmetric in the middle is that is allows for a few things:
1. it is easy to re-encrypt it t replica creation time by one of the other
servers as soon as the replica is built and publishes its on key.
This solves the distribution problem to new replicas.
This same mechanism also allows to redistribute a new key if you need/want to
rotate it for whatever reason.
It also avoids the need to encrypt every zone private key multiple times with each
replica public key, which would cause a lot of churn.
HTH,
Simo.
More information about the Freeipa-devel
mailing list