[Freeipa-devel] DNSSEC: upgrade path to Vault
Simo Sorce
simo at redhat.com
Tue Mar 11 20:14:58 UTC 2014
On Tue, 2014-03-11 at 14:40 -0400, Simo Sorce wrote:
> The *only* thing we really need to do IMO is that if a DNS server
> finds
> out it's key for a zone are expired then it shuts down itself and
> makes
> itself unavailable so clients will start falling over to another DNS
> server and the admin will have to troubleshoot and resolve out why the
> keys were not accessible. If the reason is that they forgot to update
> a
> replica then they should just proceed and update and the DNS server
> will
> restart after that (we may want to make sure we have a way to pull the
> latest key at upgrade or we have chick egg issue where replica update
> fails because DNS does not start).
>
I am thinking that in case we have some zones protected with DNSSEC and
some that are not (do we handle this case ?) then what we could do is
simply to stop serving the secured zone. Is there an error code we can
return that will make clients try another DNS server if they have
multiple configured ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list