[Freeipa-devel] certmonger/oddjob for DNSSEC key maintenance

[Simo Sorce]

On Wed, 2013-09-04 at 12:53 -0400, Dmitri Pal wrote:
> Should we treat this functionality independent from the tool?
> I am concerned with volume of the load and replication. I think it
> should be an option - single master generates keys or you can enable
> others to generate the keys and if they are enabled to generate the
> keys
> they would follow the algorithm proposed by Simo.
> 
Having a single master generate keys is a single point of failure and
will bring down your whole infrastructure if you really use DNSSEC.

I say we cannot release DNSSEC as usable unless we have robust/redundant
key generation.

My schema does not add any relevant replication traffic, keep in mind
the only keys generate are the signing keys, which are rotated once
every few months.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York