[Opendnssec-user] distributed OpenDNSSEC (distributed database and HSM)

Tue, 04 Mar 2014 04:59:24 -0800 

Hello,
I'm Petr Spacek from Red Hat's Identity Management group. We are working on a distributed solution for DNS+DNSSEC key management for servers. Our goal is to design a system without single-point-of-failure and we would like to discuss how to make OpenDNSSEC fully distributed. 

Background
==========

This effort is part of FreeIPA project, see http://www.freeipa.org/ if you 
want to see a big picture. DNS(SEC) is one small part of it.



The basic component is a multi-master replicated LDAP database and we build on 
top of it.



We have built so-called bind-dyndb-ldap plugin for BIND 9 so we can use BIND 9 
as multi-master DNS server (it is still more or less standard compliant):

https://fedorahosted.org/bind-dyndb-ldap/


We plan to use in-line signing functionality from BIND 9 to have distributed 
data signing without SPOF:

https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC


OpenDNSSEC 1.x
==============

As a first step, we would like to use enforcer from OpenDNSSEC 1.x for key 
maintenance and use some glue logic to distribute keys to all BIND 9 instances 
for in-line signing. We plan to use existing OpenDNSSEC 1.x without any change.



OpenDNSSEC 2.x
==============
Naturally, we want to do key maintenance in a distributed manner :-)


The question is if you would accept patches adding support for LDAP backend to 
OpenDNSSEC 2.x and patches supporting distributed operation (mainly in the 
enforcer-ng).



I have looked into git/enforcer-ng/src/protobuf-orm and it seems that 
everything is SQL-specific. Would you accept patches adding some abstraction 
to the database interface?




The next thing is key distribution. In long term, we plan to write and use a 
SoftHSM equivalent backed with LDAP database and local cache for 
key/certificate storage so key management/sharing will be solved transparently 
from OpenDNSSEC's point of view.


If you are interested, you can read more about PKCS#11-over-LDAP on
http://www.freeipa.org/page/V4/PKCS11_in_LDAP
or join freeipa-devel mailing list
https://www.redhat.com/mailman/listinfo/freeipa-devel


So the main question is:

Would you accept patches for database backend abstraction and distributed 
behavior (in enforcer-ng)?


Maybe there is a better approach ... We are open to ideas.

Thank you for your time!

--
Petr Spacek  @  Red Hat
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to