[Opendnssec-user] distributed OpenDNSSEC (distributed database and HSM)
Jerry Lundström
jerry at opendnssec.org
Tue Mar 4 13:23:40 UTC 2014
Hi Petr,
Very cool to hear that OpenDNSSEC will be used for this!
On 04 Mar 2014, at 13:59 , Petr Spacek <pspacek at redhat.com> wrote:
> OpenDNSSEC 2.x
> ==============
> Naturally, we want to do key maintenance in a distributed manner :-)
>
> The question is if you would accept patches adding support for LDAP backend to OpenDNSSEC 2.x and patches supporting distributed operation (mainly in the enforcer-ng).
>
> I have looked into git/enforcer-ng/src/protobuf-orm and it seems that everything is SQL-specific. Would you accept patches adding some abstraction to the database interface?
Yes the current interface is very SQLish, I can see a few places where you might be able to add another layer that would make a LDAP backend possible. Maybe you can supply a patch (or parts of a patch) so we can get a better view of what you want to do and discuss it further? Just a bit of a notice, we are currently discussing the usage of protobuf-orm and it may or may not be changed in the near future.
> The next thing is key distribution. In long term, we plan to write and use a SoftHSM equivalent backed with LDAP database and local cache for key/certificate storage so key management/sharing will be solved transparently from OpenDNSSEC's point of view.
Have you looked at SoftHSMv2 (https://github.com/opendnssec/SoftHSMv2) ? Maybe make a LDAP backend for it would do for a distributed key management (just guessing).
> So the main question is:
> Would you accept patches for database backend abstraction and distributed behavior (in enforcer-ng)?
Of course, we recently moved all our software to GitHub in order to better handle submission of code.
Looking forward to your pull requests! :)
--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140304/d1503144/attachment.bin>
More information about the Opendnssec-user
mailing list