On 19.7.2013 19:55, Simo Sorce wrote:
I will reply to the rest of the message later if necessary, still
digesting some of your answers, but I wanted to address the following

On Fri, 2013-07-19 at 18:29 +0200, Petr Spacek wrote:

The most important question at the moment is "What can we postpone?
fragile it can be for shipping it as part of Fedora 20?" Could we
DNSSEC support as "technology preview"/"don't use it for anything

Until we figur out proper management in LDAP we will be a bit stuck, esp
if we want to consider usin the 'somthing' that stores keys instead of
toring them stright in LDAP.

So maybe we can start with allowing just one server to do DNSSEC and
source keys from files for now ?

The problem is that DNSSEC deployment *on single domain* is 'all or nothing': All DNS servers have to support DNSSEC otherwise the validation on client side can fail randomly.

Note that *parent* zone indicates that the particular child zone is secured with DNSSEC by sending DS (delegation signer) record to the client. Validation will fail if client receives DS record from the parent but no signatures are present in data from 'child' zone itself.

This prevents downgrade (DNSSEC => plain DNS) attacks.

As a result, we have only two options: One DNS server with DNSSEC enabled or arbitrary number DNS servers without DNSSEC, which is very unfortunate.

as soon as we have that workign we should also have clearer plans about
how we manage keys in LDAP (or elsewhere).

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to