[Opendnssec-user] distributed OpenDNSSEC (distributed database and HSM)

Petr Spacek pspacek at redhat.com
Thu Mar 6 13:06:11 UTC 2014 

Hi Jerry,

On 6.3.2014 11:15, Jerry Lundström wrote:
> Hi Petr,
> On 04 Mar 2014, at 17:33 , Petr Spacek <pspacek at redhat.com> wrote:
>> On 4.3.2014 14:23, Jerry Lundström wrote:
>>> Yes the current interface is very SQLish, I can see a few places where you might be able to add another layer that would make a LDAP backend possible.
>> Could you be more specific? I would like to look at the code we are talking about.
> It depends on what you want to do, add complete support for other type of data sources then we need to refactor a bit. Otherwise it could be “hacked” into the source.
'A new data source' is a good description, I think.

>> It would be even better to see some design document with database schema description but I can't find one on https://wiki.opendnssec.org/ .
> The database schema is auto generated from the protobuf definitions, simplest way to see the database schema is to fire up an instance, run the setup command and then dump it.
Thank you for information, I will look into live DB. How it works on upgrade - 
generally? What if proto-buffer definition was changed between versions? Are 
there differences between 1.x and 2.x?

>> Plain SoftHSMv2 is probably not the best use case because we plan to support off-line operation and other things like that and we will want (I guess) to re-use existing code.
> What do you mean by off-line operations? If its something that you can generate new keys locally and then sync it I don’t see why this can’t be supported by a backend in SoftHSMv2.
Imagine that the data store is in fact a remote database. You want to be able 
to use the keys stored in the token even if the connection to the backend 
database is down.

Technically, we can implement the whole database backend from scratch but I 
guess that we will try to re-use existing code for database operations from 
SSSD project (https://fedorahosted.org/sssd/).

Anyway, we are going to investigate if SoftHSMv2 can work on top of our 
existing database code or not. I'm not saying 'no', I'm just saying that it is 
not that easy as it may seem.

>> Great. It will take some time before we get to writing some code (one or more months) but we want to know if the idea is good or if we should search for some other solution.
> If your looking for good key management then you’ve come to the right place!
Great, that is what we need :-)

>> BTW are proposed changes something that needs attention from "OpenDNSSEC Architecture Board"? If so, who should I contact and how?
> No, not for adding a database backend.
The original proposal was also about 'distributed operation', i.e. multiple 
enforcers running and coordinating among multiple machines at the same time 
(possibly via shared database or something like that).

I think this will require more significant changes than 'mere' database backend.

Thank you for answers :-)

-- 
Petr^2 Spacek

More information about the Opendnssec-user mailing list