On 23.7.2013 10:55, Petr Spacek wrote:
On 19.7.2013 19:55, Simo Sorce wrote:
I will reply to the rest of the message later if necessary, still
digesting some of your answers, but I wanted to address the following

On Fri, 2013-07-19 at 18:29 +0200, Petr Spacek wrote:

The most important question at the moment is "What can we postpone?
fragile it can be for shipping it as part of Fedora 20?" Could we
DNSSEC support as "technology preview"/"don't use it for anything

Until we figur out proper management in LDAP we will be a bit stuck, esp
if we want to consider usin the 'somthing' that stores keys instead of
toring them stright in LDAP.

So maybe we can start with allowing just one server to do DNSSEC and
source keys from files for now ?

The problem is that DNSSEC deployment *on single domain* is 'all or nothing':
All DNS servers have to support DNSSEC otherwise the validation on client side
can fail randomly.

Note that *parent* zone indicates that the particular child zone is secured
with DNSSEC by sending DS (delegation signer) record to the client. Validation
will fail if client receives DS record from the parent but no signatures are
present in data from 'child' zone itself.

This prevents downgrade (DNSSEC => plain DNS) attacks.

As a result, we have only two options: One DNS server with DNSSEC enabled or
arbitrary number DNS servers without DNSSEC, which is very unfortunate.

as soon as we have that workign we should also have clearer plans about
how we manage keys in LDAP (or elsewhere).

Dmitri, Martin and me discussed this proposal in person and the new plan is:
- Elect one super-master which will handle key generation (as we do with special CA certificates)
- Store generated DNSSEC keys in LDAP
- Encrypt stored keys with 'DNSSEC master key' shared by all servers
- Derive 'DNSSEC master key' from 'Kerberos master key' during server install/upgrade and store it somewhere on the filesystem (as the Kerberos master key, on each IPA server)
- Consider certmonger or oddjob as key generation triggers

I think that we should add one new thing - a 'salt' - used for Kerberos master key->DNSSEC master key derivation. It would allow us to re-generate DNSSEC master key as necessary without a change in the Kerberos master key.

Does it make sense? Does anybody have any ideas/recommendations which libraries we should use for key derivation and key material en/decryption?

Thank you for your time!

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to