[Freeipa-devel] DNSSEC: IPA Installation/Upgrade
Martin Basti
mbasti at redhat.com
Mon Jun 23 15:44:05 UTC 2014
Hello,
I have following issues:
#1 Upgrading existing replicas to support DNSSEC won't work for current
design (replica-file as storage for temporal replica key).
Temporal private key needs to be copied to replica, and no encrypted
master-key for replica is prepared in LDAP, because user doesn't need to
run ipa-replica-prepare.
After discussion with Petr2, the solution is:
a) Each replica (except first - which generates master-key) generates
replica public and private keys.
b) Replica uploads public key to LDAP
c) Replica with generated master key, use the public key (b) to encrypt
master-key and store it to LDAP. Replica with master-key must detect, if
there is any new public replica key.
d) Replica (b) is now able to get master-key using own private replica
key
#2 We need to choose only one replica which will generate, (rotate, ...)
DNSSEC keys.
My proposal is to test during installation/upgrade if any dnssec/master
keys are in LDAP. If no key was found, the first server is
installed/upgraded and DNSSEC key generator is required.
But there is issue with parallel upgrade multiple replicas (or if
replication temporarily doesn't work). There is no guarantee if replicas
will be able to detect if any replica became DNSSEC key generator.
Please write me your opinions.
--
Martin^2 Basti
More information about the Freeipa-devel
mailing list