[Opendnssec-user] enforcer hooks

Petr Spacek pspacek at redhat.com
Mon May 19 11:09:51 UTC 2014

On 19.5.2014 10:26, Jerry Lundström wrote:
> Hi Petr,
> On fre, 2014-05-16 at 18:01 +0200, Petr Spacek wrote:
>> I'm looking into OpenDNSSEC v 1.4.5 configuration files and I can't see any
>> hooks for user scripts in Enforcer's configuration.
> There are two hooks/commands that you can configure for OpenDNSSEC:
> 1. Configure the <DelegationSignerSubmitCommand> if you want to have a
> program/script receiving the new KSK during a key rollover.
> 2. <NotifyCommand> optional element that will tell the Signer Engine to
> call this command when the zone has been signed. Will expand the
> following variables: %zone (the name of the zone that was signed) and %
> zonefile (the filename of the signed zone).
> These are located in the conf.xml, see:
> https://wiki.opendnssec.org/display/DOCS/conf.xml
>> I would like to run my own script every time a new key is generated or
>> existing key is deleted (or even better - after any state change).
>> What mechanism would you recommend for this purpose?
> There is no good mechanism for getting that information currently.
> To understand what the big picture is could you explain why you want
> this information as it happens?

Sure! We want to implement a system with distributed signing. I.e. OpenDNSSEC 
will generate keys and those keys will be distributed to all DNS servers in 
the topology.

Signer from ODS will not be used at all, DNSSEC signing will happen on all DNS 
servers independently on each other.

This effectively removes single point of failure (when we talk about signature 
expiration). This allows us to use short signature expiration periods and stay 
relatively safe again replay attacks.

Private key will be distributed by underlying PKCS#11 implementation but we 
need to receive key ID and all the metadata necessary for DNS 

> There are a few different keys and states, there are HSM keys (raw key
> material) and keys in KASP and they both carry a lot of states.
Imagine that we want to use ODS to generate keys. All the key metadata need to 
be stored in distributed database (along with key ID) so all the K* files can 
be reconstructed on all DNS servers.

Basically we need to get timestamps and DNSSEC key flags as they are stored in 
K*.private keys for BIND.

>> I think that the (theoretical) hook should be called with parameters
>> equivalent to output from "ods-ksmutil key list -v" for every changed key.
>> Would it be possible to add those hooks?
> If time permits, sure. But right now I think we need to understand
> deeper what/why you want to do this.

I hope it makes sense. Please let me know if it doesn't :-)

> And if you or your team has time you could always make a pull request
> with the functionality you wish to have.

Sure, if the idea makes sense. I wanted to ask first if it is a good idea. I 
don't want to write throw-away code.

Petr^2 Spacek

More information about the Opendnssec-user mailing list