On Wed, 2014-03-05 at 16:29 +0100, Martin Kosek wrote: > On 03/05/2014 03:04 PM, Simo Sorce wrote: > > On Wed, 2014-03-05 at 13:05 +0100, Martin Kosek wrote: > >> On 03/04/2014 11:14 PM, Petr Spacek wrote: > >>> On 4.3.2014 22:53, Simo Sorce wrote: > >>>> On Tue, 2014-03-04 at 22:38 +0100, Petr Spacek wrote: > >>>>> On 4.3.2014 22:15, Simo Sorce wrote: > >>>>>> On Tue, 2014-03-04 at 21:25 +0100, Petr Spacek wrote: > >> ... > >>>> I guess my only reservation is about whether DRM storage is replicated > >>>> or not. Although both the K/M and DNS cases do not require the Vault to > >>>> be online at all times because the keys will be downloaded and stored > >>>> locally and only needs to be accessed when they changed, there is the > >>>> problem of having all keys in a SPOF, that should not happen. > >>> According to http://www.freeipa.org/page/V4/Password_Vault#Replication the > >>> replication is available for DRM, we just need to use it. > >>> > >>> IMHO a vault without replication is not useful anyway. Users are not > >>> happy when > >>> their passwords disappear ;-) > >>> > >>>> The additional thing about the Vault is that we can use key escrow there > >>>> as a mechanism to re-encrypt automatically system relevant keys when a > >>>> new server is joined to the realm. > >>> So we agree that Vault offers what we want so we should use it, right? > >>> > >>> I think we should determine if we can use Vault for K/M. It would be > >>> another > >>> reason why we should use Vault instead of a custom solution. > >>> > >> > >> Do we really want to use the heavy machinery Vault for DNSSEC keys? I would > >> personally like to avoid it and use something more lightweight. > >> > >> Vault seems to me as a too heavy requirement for FreeIPA server with DNS. > >> It > >> needs Tomcat and all the Java machinery, special installation, replication > >> scheme, difficult debugging etc. In my mind, Vault is a specialized heavy > >> component that solves specific problems that not every admin may want and > >> thus > >> may cause a lot of grief to such admins who just want CA-less FreeIPA and > >> DNS(SEC). > > > > Well keep in mind that you do not need a vault instance on every DNS > > server, just like a CA a few servers would be sufficient. DNS key > > rotation happens relatively 'rarely' so the dependency is not a huge > > problem in terms of performance or management. There is the problem of > > the heavyweight java-based infrastructure, but we already have that > > dependency for the CA part, so it's not like we are adding anything new. > > Yeah, but the plan is not force people to have the heavy weight Java > infrastructure on each server so that they are able to create more lightweight > servers only with components they choose: > > https://fedorahosted.org/freeipa/ticket/4058
Yes, but the Vault does not need to be installed on each server, just on a couple of them like for the CA. In particular it doesn't need to be installed on the same servers that offer the DNS service. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
