[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview

Martin Basti mbasti at redhat.com
Fri Oct 10 07:53:28 UTC 2014 

On 10/10/14 09:17, Martin Kosek wrote:
> On 10/09/2014 03:57 PM, Petr Spacek wrote:
>> Hello,
>>
>> it would be great if people could look at current state of DNSSEC 
>> patches for
>> FreeIPA.
>>
>> It consist of several relatively independent parts:
>> - python-pkcs#11 interface written by Martin Basti:
>> https://github.com/spacekpe/freeipa-pkcs11
>>
>> - DNSSEC daemons written by me:
>> https://github.com/spacekpe/ipadnssecd
>>
>> - FreeIPA integration written by Martin Basti:
>> https://github.com/bastiak/freeipa/tree/dnssec
>>
>> For now brief visual inspection is good enough :-)
>>
>> Current state
>> =============
>> - It works only on single DNSSEC "master" server because we still do 
>> not have
>> the key wrapping machinery.
>> - The "master" server has to be configured manually using 
>> ipa-dnssec-setmaster
>> utility.
>> - DNSSEC keys are generated on the fly when DNSSEC is enabled for 
>> particular zone.
>> - Metadata for BIND are generated on the fly.
>> - BIND automatically signs the zone.
>>
>> It depends on latest softhsm, opendnssec and bind-pkcs11-util & 
>> bind-pkcs11
>> packages which are not in Fedora 21 yet.
>>
>> Thank you for your time!
>>
>
> Good! I am glad to see a progress. I am also CCing Simo and Rob to be 
> in the loop. It would be especially useful if you also show Simo your 
> special file permissions (setfacl) and sharing config files between 
> daemons. I rather nervous about this part.

We will *not* use setfacl, there were some issues with softhsm, which 
Petr^2 found yesterday.

>
> To comment on FreeIPA integration - I saw you are adding a new config 
> file:
> - install/tools/ipa-dnssec-setmaster
>
> I wonder how consistent and future proof that is. Setting master is 
> currently being done in "ipa-*replica-manage", check for example 
> "ipa-csreplica-manage". We want to have these operations on a sensible 
> place as we will be refactoring them in 4.2.
>
> As for the service installation code itself, I would rather see it in
>
> # ipa-dns-install
>
> which could have new --dnssec-master and --no-dnssec flag.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Martin Basti

More information about the Freeipa-devel mailing list