[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
Petr Spacek
pspacek at redhat.com
Thu Oct 9 13:57:26 UTC 2014
Hello,
it would be great if people could look at current state of DNSSEC patches for
FreeIPA.
It consist of several relatively independent parts:
- python-pkcs#11 interface written by Martin Basti:
https://github.com/spacekpe/freeipa-pkcs11
- DNSSEC daemons written by me:
https://github.com/spacekpe/ipadnssecd
- FreeIPA integration written by Martin Basti:
https://github.com/bastiak/freeipa/tree/dnssec
For now brief visual inspection is good enough :-)
Current state
=============
- It works only on single DNSSEC "master" server because we still do not have
the key wrapping machinery.
- The "master" server has to be configured manually using ipa-dnssec-setmaster
utility.
- DNSSEC keys are generated on the fly when DNSSEC is enabled for particular zone.
- Metadata for BIND are generated on the fly.
- BIND automatically signs the zone.
It depends on latest softhsm, opendnssec and bind-pkcs11-util & bind-pkcs11
packages which are not in Fedora 21 yet.
Thank you for your time!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list