[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
Martin Basti
mbasti at redhat.com
Fri Oct 10 13:12:17 UTC 2014
On 10/10/14 14:51, Simo Sorce wrote:
> On Fri, 10 Oct 2014 09:17:34 +0200
> Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 10/09/2014 03:57 PM, Petr Spacek wrote:
>>> Hello,
>>>
>>> it would be great if people could look at current state of DNSSEC
>>> patches for FreeIPA.
>>>
>>> It consist of several relatively independent parts:
>>> - python-pkcs#11 interface written by Martin Basti:
>>> https://github.com/spacekpe/freeipa-pkcs11
>>>
>>> - DNSSEC daemons written by me:
>>> https://github.com/spacekpe/ipadnssecd
> Well I have to be honest, it would be easier if commit messages were in
> English :-)
>
> Simo.
Honestly, those commit messages are not helpful, we plan to merge it
into one IPA commit, so we don't use nice commit messages.
>
>>> - FreeIPA integration written by Martin Basti:
>>> https://github.com/bastiak/freeipa/tree/dnssec
>>>
>>> For now brief visual inspection is good enough :-)
>>>
>>> Current state
>>> =============
>>> - It works only on single DNSSEC "master" server because we still
>>> do not have the key wrapping machinery.
>>> - The "master" server has to be configured manually using
>>> ipa-dnssec-setmaster utility.
>>> - DNSSEC keys are generated on the fly when DNSSEC is enabled for
>>> particular zone.
>>> - Metadata for BIND are generated on the fly.
>>> - BIND automatically signs the zone.
>>>
>>> It depends on latest softhsm, opendnssec and bind-pkcs11-util &
>>> bind-pkcs11 packages which are not in Fedora 21 yet.
>>>
>>> Thank you for your time!
>>>
>> Good! I am glad to see a progress. I am also CCing Simo and Rob to be
>> in the loop. It would be especially useful if you also show Simo your
>> special file permissions (setfacl) and sharing config files between
>> daemons. I rather nervous about this part.
>>
>> To comment on FreeIPA integration - I saw you are adding a new config
>> file:
>> - install/tools/ipa-dnssec-setmaster
>>
>> I wonder how consistent and future proof that is. Setting master is
>> currently being done in "ipa-*replica-manage", check for example
>> "ipa-csreplica-manage". We want to have these operations on a
>> sensible place as we will be refactoring them in 4.2.
>>
>> As for the service installation code itself, I would rather see it in
>>
>> # ipa-dns-install
>>
>> which could have new --dnssec-master and --no-dnssec flag.
>>
>> Martin
>
>
--
Martin Basti
More information about the Freeipa-devel
mailing list