[Opendnssec-user] distributed OpenDNSSEC (distributed database and HSM)

Jerry Lundström jerry at opendnssec.org
Thu Mar 6 10:15:31 UTC 2014


Hi Petr,

On 04 Mar 2014, at 17:33 , Petr Spacek <pspacek at redhat.com> wrote:

> On 4.3.2014 14:23, Jerry Lundström wrote:
>> Yes the current interface is very SQLish, I can see a few places where you might be able to add another layer that would make a LDAP backend possible.
> Could you be more specific? I would like to look at the code we are talking about.

It depends on what you want to do, add complete support for other type of data sources then we need to refactor a bit. Otherwise it could be “hacked” into the source.

> It would be even better to see some design document with database schema description but I can't find one on https://wiki.opendnssec.org/ .

The database schema is auto generated from the protobuf definitions, simplest way to see the database schema is to fire up an instance, run the setup command and then dump it.

> Could you tell me what are alternatives under consideration? What you like and don't like about protobuf-orm? I'm curious if there is something fulfilling you needs but not bound to SQL paradigm.

Its too early in the discussions to say anything.

> Plain SoftHSMv2 is probably not the best use case because we plan to support off-line operation and other things like that and we will want (I guess) to re-use existing code.

What do you mean by off-line operations? If its something that you can generate new keys locally and then sync it I don’t see why this can’t be supported by a backend in SoftHSMv2.

> Great. It will take some time before we get to writing some code (one or more months) but we want to know if the idea is good or if we should search for some other solution.

If your looking for good key management then you’ve come to the right place!

> BTW are proposed changes something that needs attention from "OpenDNSSEC Architecture Board"? If so, who should I contact and how?

No, not for adding a database backend.

Regards,
Jerry

--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140306/64aed97f/attachment.bin>


More information about the Opendnssec-user mailing list