[Opendnssec-develop] FYI: Enforcer storage in LDAP at RedHat

Jerry Lundström jerry at opendnssec.org
Thu Jun 26 06:19:41 UTC 2014


Hi Rick,

Currently home sick so I will be short.

Petr sent a mail to the user list in early Mars and it did not go
unnoticed. We are working on a new database layer [1][2], it supports
basicly any backend and we are converting existing code from C++ to C and
making it non-transactional.

[1] https://github.com/opendnssec/opendnssec/pull/76
[2] https://github.com/jelu/opendnssec/tree/dbx/enforcer-ng/src/db

-- 
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/

On 25 jun 2014, at 14:53, Rick van Rein <rick at openfortress.nl> wrote:

Hi,

A while back we’ve discussed alternate databases, and I proposed LDAP as an
option.  It was deemed too far off the current design of the Enforcer, even
if it is technically practical for many admins.

When discussing some OpenDNSSEC-related things with Petr Spacek, he showed
me RedHat's project that is doing exactly this; they are storing the
information from the Enforcer in their FreeIPA infrastructure.  Their short
and long term plans are here:

*
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm
*
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm

They also intend to store wrapped private keys in LDAP; I am talking them
through alternatives which retain PKCS #11 protection yet support their
wishes.


Cheers,
-Rick_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20140626/349f5389/attachment.htm>


More information about the Opendnssec-develop mailing list