[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
Simo Sorce
ssorce at redhat.com
Fri Oct 10 12:51:01 UTC 2014
On Fri, 10 Oct 2014 09:17:34 +0200
Martin Kosek <mkosek at redhat.com> wrote:
> On 10/09/2014 03:57 PM, Petr Spacek wrote:
> > Hello,
> >
> > it would be great if people could look at current state of DNSSEC
> > patches for FreeIPA.
> >
> > It consist of several relatively independent parts:
> > - python-pkcs#11 interface written by Martin Basti:
> > https://github.com/spacekpe/freeipa-pkcs11
> >
> > - DNSSEC daemons written by me:
> > https://github.com/spacekpe/ipadnssecd
Well I have to be honest, it would be easier if commit messages were in
English :-)
Simo.
> > - FreeIPA integration written by Martin Basti:
> > https://github.com/bastiak/freeipa/tree/dnssec
> >
> > For now brief visual inspection is good enough :-)
> >
> > Current state
> > =============
> > - It works only on single DNSSEC "master" server because we still
> > do not have the key wrapping machinery.
> > - The "master" server has to be configured manually using
> > ipa-dnssec-setmaster utility.
> > - DNSSEC keys are generated on the fly when DNSSEC is enabled for
> > particular zone.
> > - Metadata for BIND are generated on the fly.
> > - BIND automatically signs the zone.
> >
> > It depends on latest softhsm, opendnssec and bind-pkcs11-util &
> > bind-pkcs11 packages which are not in Fedora 21 yet.
> >
> > Thank you for your time!
> >
>
> Good! I am glad to see a progress. I am also CCing Simo and Rob to be
> in the loop. It would be especially useful if you also show Simo your
> special file permissions (setfacl) and sharing config files between
> daemons. I rather nervous about this part.
>
> To comment on FreeIPA integration - I saw you are adding a new config
> file:
> - install/tools/ipa-dnssec-setmaster
>
> I wonder how consistent and future proof that is. Setting master is
> currently being done in "ipa-*replica-manage", check for example
> "ipa-csreplica-manage". We want to have these operations on a
> sensible place as we will be refactoring them in 4.2.
>
> As for the service installation code itself, I would rather see it in
>
> # ipa-dns-install
>
> which could have new --dnssec-master and --no-dnssec flag.
>
> Martin
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list