<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 03/12/2014 04:28 PM, Petr Spacek
wrote:<br>
</div>
<blockquote cite="mid:53207D0F.7020403@redhat.com" type="cite">On
12.3.2014 14:07, Ludwig Krispenz wrote:
<br>
<blockquote type="cite">
<br>
On 03/12/2014 01:09 PM, Petr Spacek wrote:
<br>
<blockquote type="cite">On 12.3.2014 12:12, Ludwig Krispenz
wrote:
<br>
<blockquote type="cite">On 03/11/2014 11:33 AM, Petr Spacek
wrote:
<br>
<blockquote type="cite">On 10.3.2014 12:08, Martin Kosek
wrote:
<br>
<blockquote type="cite">On 03/10/2014 11:49 AM, Petr
Spacek wrote:
<br>
<blockquote type="cite">On 7.3.2014 17:33, Dmitri Pal
wrote:
<br>
<blockquote type="cite">I do not think it is the right
architectural approach to try to fix a
<br>
specific
<br>
use case with one off solution while we already know
that we need a key
<br>
storage.
<br>
I would rather do things right and reusable than jam
them into the
<br>
currently
<br>
proposed release boundaries.
<br>
</blockquote>
I want to make clear that I'm not opposed to Vault in
general. I'm
<br>
questioning
<br>
the necessity of Vault from the beginning because it
will delay DNSSEC
<br>
significantly.
<br>
</blockquote>
<br>
+1, I also now see number of scenarios where Vault will
be needed.
<br>
<br>
<blockquote type="cite">
<br>
One of the proposals in this thread is to use
something simple for DNSSEC
<br>
keys
<br>
(with few lines of Python code) and migrate DNSSEC
with Vault when Vault is
<br>
available and stable enough (in some later release).
<br>
<br>
<blockquote type="cite">I understand that Vault brings
a lot of work to the table. But let us
<br>
do it
<br>
right and if it does not fit into 4.0 let us do it
in 4.1.
<br>
</blockquote>
We will have one huge release with DNSSEC + Vault at
once if we to postpone
<br>
DNSSEC to the same release as Vault.
<br>
<br>
As a result, it would be harder to debug it because we
will have to find if
<br>
something is broken because of:
<br>
- DNSSEC-IPA integration
<br>
- Vault-IPA integration
<br>
- DNSSEC-Vault integration.
<br>
<br>
I don't think it is a good idea to make such huge
release.
<br>
<br>
"Release early, release often"
<br>
<br>
</blockquote>
<br>
I must say I tend to agree with Petr. If the "poor man's
solution" of DNSSEC
<br>
without Vault does not cost us too much time and it
would seem that the
<br>
Vault
<br>
is not going to squeeze in 4.0 deadlines, I would rather
release the poor
<br>
man's
<br>
solution in 4.0 and switch to Vault when it's available
in 4.1.
<br>
<br>
This would let our users test the non-Vault parts of our
DNSSEC solution
<br>
instead of waiting to test a perfect solution.
<br>
</blockquote>
<br>
Yesterday we have agreed that DNSSEC support is not going
to depend on Vault
<br>
from the beginning and that we can migrate to Vault later.
<br>
<br>
Here I'm proposing safe upgrade path from non-vault to
Vault solution.
<br>
<br>
After all, it seems relatively easy.
<br>
<br>
TL;DR version
<br>
=============
<br>
Use information in cn=masters to detect if there are old
replicas and
<br>
temporarily convert new keys from Vault to LDAP storage
(until all old
<br>
replicas are deleted).
<br>
<br>
Full version
<br>
============
<br>
IPA 4.0 is going to have OpenDNSSEC key generator on a
single IPA server and
<br>
separate key import/export daemon (i.e. script called from
cron or something
<br>
like that) on all IPA servers.
<br>
<br>
In 4.0, we can add new LDAP objects for DNSSEC-related IPA
services (please
<br>
propose better names :-):
<br>
- key generator:
<br>
cn=OpenDNSSECv1,cn=vm.example.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
<br>
<br>
- key imported/exporter:
<br>
cn=DNSSECKeyImporterv1,cn=vm.example.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
<br>
<br>
<br>
<br>
<br>
Initial state before upgrade:
<br>
- N IPA 4.0 replicas
<br>
- N DNSSECKeyImporterv1 service instances (i.e. key
distribution for IPA 4.0)
<br>
- 1 OpenDNSSECv1 service instance (key generator)
<br>
<br>
Now we want to upgrade a first replica to IPA 4.1. For
simplicity, let's add
<br>
a *requirement* to upgrade the replica with OpenDNSSECv1
first. (We can
<br>
generalize the procedure if this requirement is not
acceptable.)
<br>
<br>
Upgrade procedure:
<br>
- stop OpenDNSSECv1 service
<br>
- stop DNSSECKeyImporterv1 service
<br>
- convert OpenDNSSECv1 database to OpenDNSSECv2
<br>
This step is not related to Vault. We need to covert local
SQLite database
<br>
from single-node OpenDNSSEC to LDAP-backed distributed
OpenDNSSEC.
<br>
</blockquote>
do we need to convert SQLite ? I thought in phase 1 we would
have scripts
<br>
exporting from OpenDNSSEC database and store in ldap, then
the data already
<br>
exist in ldap. We would ned to replace the sofhthsm module
by our own pkcs11
<br>
module using ldap dn directly
<br>
</blockquote>
<br>
I'm sorry for not being clear.
<br>
<br>
The short-term plain is going to be executed without
significant changes:
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm</a>
<br>
<br>
<br>
This discussion is more about potential problems with upgrade
from
<br>
short-term solution to the long-term one - I'm updating
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm</a>
<br>
right now.
<br>
<br>
To answer your question about SQLite database:
<br>
We will have *encryption keys* in LDAP already from the very
beginning
<br>
(exported to LDAP by a script) so upgrade from export script
to PKCS#11
<br>
module should be be smooth.
<br>
<br>
The problem is with various metadata stored in OpenDNSSEC's
database so we
<br>
will have to convert them to LDAP. In short-term we have
neither intent nor
<br>
time to design a LDAP schema for OpenDNSSEC database, just for
the keys.
<br>
</blockquote>
the schema proposal contains attributes for the metadata, so
this should be
<br>
</blockquote>
The current schema stores only PKCS#11 metadata but nothing about
key&signing policy and other DNSSEC-related stuff.
<br>
<br>
We don't have complete schema and we don't have to have it now.
Look at the SQLite database in opendnssecv143.sqlite3.bz2 - it is
pretty complex.
<br>
</blockquote>
ok, so this is not the softhsm pkcs11 sqlite database, but a db
containing other dnssec data, you didn't say that we need ldap
schema for this and for which subset of it<br>
<br>
<blockquote cite="mid:53207D0F.7020403@redhat.com" type="cite">
<br>
We don't have time to prepare schema & port OpenDNSSECv1 to
LDAP backend. (Other aspect is that the schema is different for
OpenDNSSEC v2.)
<br>
<br>
<blockquote type="cite">ok. But I think right now the export
function available in opendnsssec/softhsm
<br>
only exports keys. We would have to have sql scripts to read and
convert the
<br>
sqlite3 database
<br>
</blockquote>
<br>
Yes, we will have to have such script for upgrades from short-term
-> long-term solution.
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
</body>
</html>