On 08/27/2013 03:05 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 08/09/2013 08:30 AM, Petr Spacek wrote: >>> Hello, >>> >>> I would like to get opinions about key maintenance for DNSSEC. >>> >>> Problem summary: >>> - FreeIPA will support DNSSEC >>> - DNSSEC deployment requires <2,n> cryptographic keys for each DNS >>> zone (i.e. objects in LDAP) >>> - The same keys are shared by all FreeIPA servers >>> - Keys have limited lifetime and have to be re-generated on monthly >>> basics (in very first approximation, it will be configurable and the >>> interval will differ for different key types) >>> - The plan is to store keys in LDAP and let 'something' (i.e. >>> certmonger or oddjob?) to generate and store the new keys back into >>> LDAP >>> - There are command line tools for key-generation (dnssec-keygen from >>> the package bind-utils) >>> - We plan to select one super-master which will handle regular >>> key-regeneration (i.e. do the same as we do for special CA >>> certificates) >>> - Keys stored in LDAP will be encrypted somehow, most probably by some >>> symmetric key shared among all IPA DNS servers >>> >>> Could certmonger or oddjob do key maintenance for us? I can imagine >>> something like this: >>> - watch some attributes in LDAP and wait until some key expires >>> - run dnssec-keygen utility >>> - read resulting keys and encrypt them with given 'master key' >>> - store resulting blobs in LDAP >>> - wait until another key reaches expiration timestamp >>> >>> It is simplified, because there will be multiple keys with different >>> lifetimes, but the idea is the same. All the gory details are in the >>> thread '[Freeipa-devel] DNSSEC support design considerations: key >>> material handling': >>> https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html >>> https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html >>> >>> Nalin and others, what do you think? Is certmonger or oddjob the right >>> place to do something like this? >>> >>> Thank you for your time! >>> >> Was there any discussion of this mail? >> > > I think at least some of this was covered in another thread, "DNSSEC > support design considerations: key material handling" at > https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html > > rob > > Yes, I have found that thread though I have not found it to come to some conclusion and a firm plan. I will leave to Petr to summarize outstanding issues and repost them.
BTW I like the idea of masters being responsible for generating a subset of the keys as Loris suggested. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
