[Opendnssec-user] distributed OpenDNSSEC (distributed database and HSM)

[Petr Spacek]

On 4.3.2014 16:00, Sara Dickinson wrote:
> On 4 Mar 2014, at 12:59, Petr Spacek <pspacek at redhat.com> wrote:
>
>> So the main question is:
>> Would you accept patches for database backend abstraction and distributed behavior (in enforcer-ng)?
>>
>> Maybe there is a better approach ... We are open to ideas.
>
> Hi Petr,
>
> If you are looking at making these kind of changes, I would suggest we collaborate up front. We would be happy to talk through your requirements and see how what you want to do fits in with the current design and roadmap for 2.0.

Great, that is the reason why we are here now :-)

We (Red Hat's Identity Management group) want to explore feasibility of this 
approach now and implement it in next months if we determine that it is the 
best approach.

Very briefly - the goal is to make OpenDNSSEC fully distributed, without any 
single-point-of-failure. Please see my initial e-mail for additional details.

We plan to use it along with BIND 9 to create fully distributed DNS(SEC) system.

You can see the very basic block diagram here:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm


One side-effect is development of a PKCS#11 module on top of LDAP database. 
One of options is to modify SoftHSMv2 (if you are willing to accept patches) 
or maybe some completely different approach, we don't know yet. This will be a 
bit separate effort, we can discuss it separately in different e-mail thread.


> Perhaps we could set up a short call to spin over the details and get the right people talking to each other?
We definitely can do that when necessary. Maybe we can wait a little bit with 
it so all interested people have time to read related documents and think 
about it a little bit before a call.

Have a nice day!

-- 
Petr Spacek  @  Red Hat