[Opendnssec-user] distributed OpenDNSSEC (distributed database and HSM)
Petr Spacek
pspacek at redhat.com
Tue Mar 4 12:59:04 UTC 2014
Hello,
I'm Petr Spacek from Red Hat's Identity Management group. We are working on a
distributed solution for DNS+DNSSEC key management for servers. Our goal is to
design a system without single-point-of-failure and we would like to discuss
how to make OpenDNSSEC fully distributed.
Background
==========
This effort is part of FreeIPA project, see http://www.freeipa.org/ if you
want to see a big picture. DNS(SEC) is one small part of it.
The basic component is a multi-master replicated LDAP database and we build on
top of it.
We have built so-called bind-dyndb-ldap plugin for BIND 9 so we can use BIND 9
as multi-master DNS server (it is still more or less standard compliant):
https://fedorahosted.org/bind-dyndb-ldap/
We plan to use in-line signing functionality from BIND 9 to have distributed
data signing without SPOF:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
OpenDNSSEC 1.x
==============
As a first step, we would like to use enforcer from OpenDNSSEC 1.x for key
maintenance and use some glue logic to distribute keys to all BIND 9 instances
for in-line signing. We plan to use existing OpenDNSSEC 1.x without any change.
OpenDNSSEC 2.x
==============
Naturally, we want to do key maintenance in a distributed manner :-)
The question is if you would accept patches adding support for LDAP backend to
OpenDNSSEC 2.x and patches supporting distributed operation (mainly in the
enforcer-ng).
I have looked into git/enforcer-ng/src/protobuf-orm and it seems that
everything is SQL-specific. Would you accept patches adding some abstraction
to the database interface?
The next thing is key distribution. In long term, we plan to write and use a
SoftHSM equivalent backed with LDAP database and local cache for
key/certificate storage so key management/sharing will be solved transparently
from OpenDNSSEC's point of view.
If you are interested, you can read more about PKCS#11-over-LDAP on
http://www.freeipa.org/page/V4/PKCS11_in_LDAP
or join freeipa-devel mailing list
https://www.redhat.com/mailman/listinfo/freeipa-devel
So the main question is:
Would you accept patches for database backend abstraction and distributed
behavior (in enforcer-ng)?
Maybe there is a better approach ... We are open to ideas.
Thank you for your time!
--
Petr Spacek @ Red Hat
More information about the Opendnssec-user
mailing list