[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
Martin Kosek
mkosek at redhat.com
Fri Oct 10 07:17:34 UTC 2014
On 10/09/2014 03:57 PM, Petr Spacek wrote:
> Hello,
>
> it would be great if people could look at current state of DNSSEC patches for
> FreeIPA.
>
> It consist of several relatively independent parts:
> - python-pkcs#11 interface written by Martin Basti:
> https://github.com/spacekpe/freeipa-pkcs11
>
> - DNSSEC daemons written by me:
> https://github.com/spacekpe/ipadnssecd
>
> - FreeIPA integration written by Martin Basti:
> https://github.com/bastiak/freeipa/tree/dnssec
>
> For now brief visual inspection is good enough :-)
>
> Current state
> =============
> - It works only on single DNSSEC "master" server because we still do not have
> the key wrapping machinery.
> - The "master" server has to be configured manually using ipa-dnssec-setmaster
> utility.
> - DNSSEC keys are generated on the fly when DNSSEC is enabled for particular zone.
> - Metadata for BIND are generated on the fly.
> - BIND automatically signs the zone.
>
> It depends on latest softhsm, opendnssec and bind-pkcs11-util & bind-pkcs11
> packages which are not in Fedora 21 yet.
>
> Thank you for your time!
>
Good! I am glad to see a progress. I am also CCing Simo and Rob to be in the
loop. It would be especially useful if you also show Simo your special file
permissions (setfacl) and sharing config files between daemons. I rather
nervous about this part.
To comment on FreeIPA integration - I saw you are adding a new config file:
- install/tools/ipa-dnssec-setmaster
I wonder how consistent and future proof that is. Setting master is currently
being done in "ipa-*replica-manage", check for example "ipa-csreplica-manage".
We want to have these operations on a sensible place as we will be refactoring
them in 4.2.
As for the service installation code itself, I would rather see it in
# ipa-dns-install
which could have new --dnssec-master and --no-dnssec flag.
Martin
More information about the Freeipa-devel
mailing list