[Opendnssec-develop] FYI: Enforcer storage in LDAP at RedHat
Rick van Rein
rick at openfortress.nl
Wed Jun 25 12:53:03 UTC 2014
Hi,
A while back we’ve discussed alternate databases, and I proposed LDAP as an option. It was deemed too far off the current design of the Enforcer, even if it is technically practical for many admins.
When discussing some OpenDNSSEC-related things with Petr Spacek, he showed me RedHat's project that is doing exactly this; they are storing the information from the Enforcer in their FreeIPA infrastructure. Their short and long term plans are here:
* https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
* https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm
They also intend to store wrapped private keys in LDAP; I am talking them through alternatives which retain PKCS #11 protection yet support their wishes.
Cheers,
-Rick
More information about the Opendnssec-develop
mailing list