[Freeipa-devel] LDAP schema for DNSSEC keys

Rich Megginson rmeggins at redhat.com
Fri May 2 19:07:44 UTC 2014 

On 05/02/2014 12:48 PM, Petr Spacek wrote:
> On 1.5.2014 16:10, Rich Megginson wrote:
>> On 04/30/2014 10:19 AM, Petr Spacek wrote:
>>> Hello list,
>>>
>>> following text summarizes schema & DIT layout for DNSSEC key storage 
>>> in LDAP.
>>>
>>> This is subset of full PKCS#11 schema [0]. It stores bare keys with few
>>> metadata attributes when necessary.
>>>
>>> The intention is to make transition to full PKCS#11-in-LDAP schema 
>>> [0] as
>>> easy as possible. This transition should happen in next minor 
>>> version of
>>> FreeIPA.
>>>
>>> In theory, the transition should be just adding few object classes to
>>> existing objects and populating few new metadata attributes. Related 
>>> object
>>> classes are marked below with "(in long-term)".
>>>
>>> Please comment on it soon. We want to implement it ASAP :-)
>>>
>>>
>>> DNSSEC key
>>> ==========
>>> - Asymmetric
>>> - Private key is stored in LDAP as encrypted PKCS#8 blob
>>> - Public key is published in LDAP
>>> - Encrypted with symmetric "DNSSEC master key" (see below)
>>> - Private key - represented as LDAP object with object classes:
>>> ipaEPrivateKey  [1] # encrypted data
>>> ipaWrappedKey   [2] # pointer to master key, outside scope of pure 
>>> PKCS#11
>>> ipk11PrivateKey [3] (in long-term) # PKCS#11 metadata
>>> - Public key - represented as LDAP object with object classes:
>>> ipaPublicKey    [1] # public key data
>>> ipk11PublicKey  [3] (in long-term) # PKCS#11 metadata
>>>
>>>
>>> Master key
>>> ==========
>>> - Symmetric
>>> - Stored in LDAP as encrypted blob
>>> - Encrypted with asymmetric "replica key" (see below)
>>> - 1 replica = 1 blob, n replicas = n blobs encrypted with different 
>>> keys
>>> - A replica uses it's own key for master key en/decryption
>>> - Represented as LDAP object with object classes:
>>> ipaESecretKey  [1]
>>> ipk11SecretKey [3] (in long-term)
>>>
>>> Replica key
>>> ===========
>>> - Asymmetric
>>> - Private key is stored on replica's disk only
>>> - Public key for all replicas is stored in LDAP
>>> - Represented as LDAP object with object classes:
>>> ipaPublicKey   [1]
>>> ipk11PublicKey [3] (in long-term)
>>>
>>>
>>> DIT layout
>>> ==========
>>>  DNSSEC key material
>>>  -------------------
>>>  - Container: cn=keys, cn=sec, cn=dns, dc=example
>>>  - Private and public keys are stored as separate objects to 
>>> accommodate all
>>> PKCS#11 metadata.
>>>  - We need to decide about object naming:
>>>   - One obvious option for RDN is to use uniqueID but I don't like 
>>> it. It is
>>> hard to read for humans.
>>>   - Other option is to use uniqueID+PKCS#11 label or other 
>>> attributes to
>>> make it more readable. Can we use multi-valued RDN? If not, why? 
>>> What are
>>> technical reasons behind it?
>>
>> I would encourage you not to use multi-valued RDNs.  There aren't any
>> technical reasons - multi-valued RDNs are part of the LDAP standards 
>> and all
>> conforming LDAP implementations must support them.  However, they are 
>> hard to
>> deal with - you _must_ have some sort of DN class/api on the client 
>> side to
>> handle them, and not all clients do - many clients expect to be able 
>> to just
>> do dnstr.lower() == dnstr2.lower() or possibly do simple escaping.
>>
>> As far as being human readable - the whole goal is that humans 
>> _never_ have to
>> look at a DN.  If humans have to look at and understand a DN to 
>> accomplish a
>> task, then we have failed.
> I agree, users should not see them. I want to make life easier for 
> administrators and developers *debugging* it.
>
> I'm facing UUIDs-only logs and database in oVirt for more than year 
> now and I can tell you that it is horrible, horrible, horrible. It is 
> PITA when I have to debug something in oVirt because I have to search 
> for UUIDs all the time. I want to scream and jump out of the window 
> when I see single log line with 4 or more different UUIDs... :-)

I sympathize, having to go through this with Designate, parsing up to 4 
UUIDs per debug log line . . .

>
>> Has the DogTag team reviewed this proposal?  Their data storage and 
>> workflows
>> are similar.
> That is very good point! Nathan, could somebody from DS team (maybe 
> somebody involved in Password Vault) review this "vault without Vault"?

>
> Thank you!
>
>>> It is question if we like:
>>>  nsUniqID = 0b0b7e53-957d11e3-a51dc0e5-9a05ecda
>>>  nsUniqID = 8ae4190d-957a11e3-a51dc0e5-9a05ecda
>>> more than:
>>>  ipk11Label=meaningful_label+ipk11Private=TRUE
>>>  ipk11Label=meaningful_label+ipk11Private=FALSE
>>>
>>>  DNSSEC key metadata
>>>  -------------------
>>>  - Container (per-zone): cn=keys, idnsname=example.net, cn=dns
>>>  - Key metadata can be linked to key material via DN or ipk11Id.
>>>  - This allows key sharing between zones.
>>> (DNSSEC-metadata will be specified later. That is not important for key
>>> storage.)
>>>
>>>  Replica public keys
>>>  -------------------
>>>  - Container: cn=DNS,cn=<replica 
>>> FQDN>,cn=masters,cn=ipa,cn=etc,dc=example
>>>   - or it's child object like cn=wrappingKey
>>>
>>>  Master keys
>>>  -----------
>>>  - Container: cn=master, cn=keys, cn=sec, cn=dns, dc=example
>>>  - Single key = single object.
>>>  - We can use ipk11Label or ipk11Id for naming:
>>>  ipk11Label=dnssecMaster1, ipk11Label=dnssecMaster2, etc.
>>>
>>>
>>> Work flows
>>> ==========
>>>  Read DNSSEC private key
>>>  -----------------------
>>>   1) read DNSSEC private key from LDAP
>>>   2) ipaWrappedKey objectClass is present - key is encrypted
>>>   3) read master key denoted by ipaWrappingKey attribute in DNSSEC 
>>> key object
>>>   4) use local replica key to decrypt master key
>>>   5) use decrypted master key to decrypt DNSSEC private key
>>>
>>>  Add DNSSEC private key
>>>  ----------------------
>>>   1) use local replica key to decrypt master key
>>>   2) encrypt DNSSEC private key with master key
>>>   3) add ipaWrappingKey attribute pointing to master key
>>>   4) store encrypted blob in a new LDAP object
>>>
>>>  Add a replica
>>>  -------------
>>>  ipa-replica-prepare:
>>>   1) generate a new replica-key pair for the new replica
>>>   2) store key pair to replica-file (don't scream yet :-)
>>>   4) add public key for the new replica to LDAP
>>>   3) fetch master key from LDAP
>>>   4) encrypt master key with new replica public key
>>>   5) store resulting master key blob to LDAP
>>>  ipa-replica-install:
>>>   6) generate a new replica-key pair (!)
>>>   7) store new public key to LDAP
>>>   8) remove old public key (from replica-file) from LDAP
>>>   9) fetch master key
>>>  10) decrypt master key using old private key (from replica-file)
>>>  11) encrypt master key using new private key (generated locally)
>>>  12) replace old master key blob in LDAP with new blob (from step 11)
>>>
>>>  Delete a replica
>>>  ----------------
>>> This is the tricky part. New master key has to be generated on some 
>>> other
>>> replica. What should we do if the ipa-replica-manage command was run on
>>> deleted replica?
>>>
>>> I propose to split replica master key roll-over to two phases:
>>>  Any machine in IPA domain (including to-be deleted replica):
>>>   1) Delete public key associated with replica from LDAP
>>>   2) Flip a bit in master key metadata and say "this key needs to be
>>> re-generated"
>>>      (Maybe we can disable ipk11Wrap boolean to indicate that this key
>>> should not be used for key wrapping.)
>>>
>>>  Remaining replicas:
>>>   3) Periodically check that master key is obsolete
>>>   4) Wait for (random period of time) to limit probability of collision
>>>   5) Check that master key is really obsolete and new one is not 
>>> present
>>>   6) Generate a new master key
>>>   7) Encrypt new master key with all replica-public-keys stored in LDAP
>>>   8) Store new master key blobs to a new LDAP object
>>>      (Conflicts are not a problem up to now because we are not 
>>> deleting old
>>> key. In worst case, we will have multiple new master keys.)
>>> *What should we do now?*
>>>   9) ??? Re-encrypt all DNSSEC keys with a new master key? (What if 
>>> we have
>>> write conflict now?)
>>>      ??? Let old keys there and wait until key rotation mechanism 
>>> replaces
>>> all old DNSSEC keys with new DNSSEC keys encrypted with a new master 
>>> key (~
>>> one year)?
>>>  10) Old master key can be deleted when no other object is 
>>> referencing to it.
>>>
>>>
>>> Congratulations to people who reached this line and didn't skip 
>>> anything :-)
>>>
>>> [0] http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema
>>> [1] 
>>> http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Encoded_key_data_2
>>> [2]
>>> http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#FreeIPA_specifics_-_key_wrapping 
>>>
>>>
>>> [3] 
>>> http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Storage_objects
>

More information about the Freeipa-devel mailing list