[Freeipa-devel] DNSSEC: IPA Installation/Upgrade
Martin Basti
mbasti at redhat.com
Mon Jun 23 15:49:39 UTC 2014
On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote:
> Hello,
> I have following issues:
>
> #1 Upgrading existing replicas to support DNSSEC won't work for current
> design (replica-file as storage for temporal replica key).
> Temporal private key needs to be copied to replica, and no encrypted
> master-key for replica is prepared in LDAP, because user doesn't need to
> run ipa-replica-prepare.
>
> After discussion with Petr2, the solution is:
> a) Each replica (except first - which generates master-key) generates
> replica public and private keys.
> b) Replica uploads public key to LDAP
> c) Replica with generated master key, use the public key (b) to encrypt
> master-key and store it to LDAP. Replica with master-key must detect, if
> there is any new public replica key.
> d) Replica (b) is now able to get master-key using own private replica
> key
>
>
> #2 We need to choose only one replica which will generate, (rotate, ...)
> DNSSEC keys.
and generate master key too
> My proposal is to test during installation/upgrade if any dnssec/master
> keys are in LDAP. If no key was found, the first server is
> installed/upgraded and DNSSEC key generator is required.
>
> But there is issue with parallel upgrade multiple replicas (or if
> replication temporarily doesn't work). There is no guarantee if replicas
> will be able to detect if any replica became DNSSEC key generator.
>
>
> Please write me your opinions.
>
--
Martin^2 Basti
More information about the Freeipa-devel
mailing list