Hello list,
Now you have unique chance to stop me before I really implement something
(:-), I'm leaving DNSSEC world for a while. I will resume work after two weeks
of silence.
Status
======
We (Martin Basti and me) have encountered various problems on our way to
DNSSEC feature, you can read the summary:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Implementation
All necessary patches were submitted upstream. Now we need to really write
IPA-code.
Design page
===========
Design have changed many times so I have drawn new high-level picture for you:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Design
This page also describes work flows related to replica management etc. It
would be really nice if someone could review the whole design - some aspects
have changed significantly.
Proof of concept code
=====================
(described on design page; for adventurous or archaeologists)
https://github.com/spacekpe/openssl/tree/aes_wrap_pad
https://github.com/spacekpe/ipadnssecd
https://github.com/spacekpe/python-ldap
https://github.com/spacekpe/SoftHSMv2/tree/asym_wrap_api
https://github.com/spacekpe/SoftHSMv2/tree/asym_wrap.sq
https://github.com/spacekpe/SoftHSMv2/tree/cka_sensitive
https://github.com/spacekpe/opendnssec/tree/cka_extractable
https://github.com/spacekpe/freeipa-pkcs11
https://github.com/spacekpe/dnspython/commits/DNSKEY.flags_to_text_set
Have a nice day(s).
--
Petr^2 Spacek
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel