[Opendnssec-user] enforcer hooks

Petr Spacek pspacek at redhat.com
Tue May 20 10:39:06 UTC 2014


On 19.5.2014 13:21, Jerry Lundström wrote:
> On mån, 2014-05-19 at 13:09 +0200, Petr Spacek wrote:
>> Private key will be distributed by underlying PKCS#11 implementation but we
>> need to receive key ID and all the metadata necessary for DNS
>> signing/orchestration.
>>
>>> There are a few different keys and states, there are HSM keys (raw key
>>> material) and keys in KASP and they both carry a lot of states.
>> Imagine that we want to use ODS to generate keys. All the key metadata need to
>> be stored in distributed database (along with key ID) so all the K* files can
>> be reconstructed on all DNS servers.
>>
>> Basically we need to get timestamps and DNSSEC key flags as they are stored in
>> K*.private keys for BIND.
>
> Have you looked at the signconf files generated by the Enforcer? The
I have ignored signer completely because we plan to use only Enforcer.

Now I have looked into /var/opendnssec/signconf/example.xml and it seems that 
I will be able to generate K*.private key except timestamps:

Created: 20140429162528
Publish: 20140429162528
Activate: 20140429162528
...

I guess that I can read those from KASP database.

> contain all the information the Signer needs to sign the zone. The
> Signer does not use the KASP database.
>
> You could monitor that directory and trigger on file changes/add and
> retrieve the new information and propagate it.

That could work at least as monitoring mechanism, even if I have to read some 
data from KASP database.

Does it make sense?

Thank you for your time!

-- 
Petr^2 Spacek



More information about the Opendnssec-user mailing list