[Freeipa-devel] DNSSEC: IPA Installation/Upgrade
Petr Spacek
pspacek at redhat.com
Tue Jun 24 09:49:11 UTC 2014
On 23.6.2014 17:49, Martin Basti wrote:
> On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote:
>> Hello,
>> I have following issues:
>>
>> #1 Upgrading existing replicas to support DNSSEC won't work for current
>> design (replica-file as storage for temporal replica key).
>> Temporal private key needs to be copied to replica, and no encrypted
>> master-key for replica is prepared in LDAP, because user doesn't need to
>> run ipa-replica-prepare.
>>
>> After discussion with Petr2, the solution is:
>> a) Each replica (except first - which generates master-key) generates
>> replica public and private keys.
>> b) Replica uploads public key to LDAP
>> c) Replica with generated master key, use the public key (b) to encrypt
>> master-key and store it to LDAP. Replica with master-key must detect, if
>> there is any new public replica key.
>> d) Replica (b) is now able to get master-key using own private replica
>> key
>>
>>
>> #2 We need to choose only one replica which will generate, (rotate, ...)
>> DNSSEC keys.
> and generate master key too
>
>> My proposal is to test during installation/upgrade if any dnssec/master
>> keys are in LDAP. If no key was found, the first server is
>> installed/upgraded and DNSSEC key generator is required.
>>
>> But there is issue with parallel upgrade multiple replicas (or if
>> replication temporarily doesn't work). There is no guarantee if replicas
>> will be able to detect if any replica became DNSSEC key generator.
Let me add that we are going to use syncrepl anyway so the overall latency
should be minimal (if replication works).
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list