[Freeipa-devel] DNSSEC design page: key wrapping
Martin Kosek
mkosek at redhat.com
Wed Mar 5 12:05:45 UTC 2014
On 03/04/2014 11:14 PM, Petr Spacek wrote:
> On 4.3.2014 22:53, Simo Sorce wrote:
>> On Tue, 2014-03-04 at 22:38 +0100, Petr Spacek wrote:
>>> On 4.3.2014 22:15, Simo Sorce wrote:
>>>> On Tue, 2014-03-04 at 21:25 +0100, Petr Spacek wrote:
...
>> I guess my only reservation is about whether DRM storage is replicated
>> or not. Although both the K/M and DNS cases do not require the Vault to
>> be online at all times because the keys will be downloaded and stored
>> locally and only needs to be accessed when they changed, there is the
>> problem of having all keys in a SPOF, that should not happen.
> According to http://www.freeipa.org/page/V4/Password_Vault#Replication the
> replication is available for DRM, we just need to use it.
>
> IMHO a vault without replication is not useful anyway. Users are not happy when
> their passwords disappear ;-)
>
>> The additional thing about the Vault is that we can use key escrow there
>> as a mechanism to re-encrypt automatically system relevant keys when a
>> new server is joined to the realm.
> So we agree that Vault offers what we want so we should use it, right?
>
> I think we should determine if we can use Vault for K/M. It would be another
> reason why we should use Vault instead of a custom solution.
>
Do we really want to use the heavy machinery Vault for DNSSEC keys? I would
personally like to avoid it and use something more lightweight.
Vault seems to me as a too heavy requirement for FreeIPA server with DNS. It
needs Tomcat and all the Java machinery, special installation, replication
scheme, difficult debugging etc. In my mind, Vault is a specialized heavy
component that solves specific problems that not every admin may want and thus
may cause a lot of grief to such admins who just want CA-less FreeIPA and DNS(SEC).
Marti
More information about the Freeipa-devel
mailing list