I would like to get opinions about key maintenance for DNSSEC.

Problem summary:
- FreeIPA will support DNSSEC
- DNSSEC deployment requires <2,n> cryptographic keys for each DNS zone (i.e. objects in LDAP)
- The same keys are shared by all FreeIPA servers
- Keys have limited lifetime and have to be re-generated on monthly basics (in very first approximation, it will be configurable and the interval will differ for different key types) - The plan is to store keys in LDAP and let 'something' (i.e. certmonger or oddjob?) to generate and store the new keys back into LDAP - There are command line tools for key-generation (dnssec-keygen from the package bind-utils) - We plan to select one super-master which will handle regular key-regeneration (i.e. do the same as we do for special CA certificates) - Keys stored in LDAP will be encrypted somehow, most probably by some symmetric key shared among all IPA DNS servers

Could certmonger or oddjob do key maintenance for us? I can imagine something like this:
- watch some attributes in LDAP and wait until some key expires
- run dnssec-keygen utility
- read resulting keys and encrypt them with given 'master key'
- store resulting blobs in LDAP
- wait until another key reaches expiration timestamp

It is simplified, because there will be multiple keys with different lifetimes, but the idea is the same. All the gory details are in the thread '[Freeipa-devel] DNSSEC support design considerations: key material handling':

Nalin and others, what do you think? Is certmonger or oddjob the right place to do something like this?

Thank you for your time!

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to