[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview
Martin Basti
mbasti at redhat.com
Mon Oct 20 01:08:56 UTC 2014
On 17/10/14 10:35, Petr Spacek wrote:
> On 17.10.2014 10:08, Jan Cholasta wrote:
>> Dne 16.10.2014 v 20:01 Petr Spacek napsal(a):
>>> On 16.10.2014 19:43, Jan Cholasta wrote:
>>>> Dne 16.10.2014 v 17:59 Martin Basti napsal(a):
>>>>> On 10/10/14 09:17, Martin Kosek wrote:
>>>>>> On 10/09/2014 03:57 PM, Petr Spacek wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> it would be great if people could look at current state of DNSSEC
>>>>>>> patches for
>>>>>>> FreeIPA.
>>>>>>>
>>>>>>> It consist of several relatively independent parts:
>>>>>>> - python-pkcs#11 interface written by Martin Basti:
>>>>>>> https://github.com/spacekpe/freeipa-pkcs11
>>>>>>>
>>>>>>> - DNSSEC daemons written by me:
>>>>>>> https://github.com/spacekpe/ipadnssecd
>>>>>>>
>>>>>>> - FreeIPA integration written by Martin Basti:
>>>>>>> https://github.com/bastiak/freeipa/tree/dnssec
>>>>> Here is updated repo with installers, please review:
>>>>> https://github.com/bastiak/freeipa/tree/dnssec-4
>>>>> branch dnssec-4
>>>>>
>>>>> TODO: integrate ipadnssecd daemons and pkcs11 helper, when finished
>>>
>>> ...
>>>
>>>> 3)
>>>>
>>>> Not something you can fix in this commit, but shouldn't
>>>> ipa-ods-exporter be
>>>> named ipa-odsexportd, so that the naming is consistent with the rest
>>>> of our
>>>> daemons?
>>>
>>> Side note: ipa-ods-exporter is not a daemon :-) It is single-shot
>>> binary
>>> activated via socket. It is replacement for "ODS signer" and uses the
>>> same protocol.
>>>
>>> Anyway, I don't care much. Feel free pick a new name and let me know.
>>
>> Nevermind, I thought it was a daemon.
>>
>>>
>>>> 2)
>>>>
>>>> Why do you use the default /etc/softhsm2.conf file, instead of
>>>> using e.g.
>>>> /etc/ipa/dnssec/softhsm2.conf and passing it to SoftHSM in the
>>>> SOFTHSM2_CONF
>>>> environment variable?
>>>
>>> I don't like the idea. The same library is used from named and
>>> ods-enforcerd so we would have to modify environment variables for all
>>> of them and do some monkey patching in /etc/systemd.
>>>
>>> AFAIK current ipactl/framework is sooo clever so it deletes service
>>> files related to all services "managed" by IPA if they are located in
>>> /etc/systemd. As a result we don't have any way how to override values
>>> supplies by other packages now.
>>
>> IMO if we can have a private instance of something we should have it. To
>> configure named properly, you just have to add a line with
>> "SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf" to /etc/sysconfig/named.
>
> Ok, I did not realize that we don't actually need systemd unit
> overrides. We need to do the same with /etc/sysconfig/ods and unit
> files for ipa-dnskeysynd and ipa-ods-exporter.
>
>>>> 4)
>>>>
>>>> I think /etc/ipa/softhsm_pin_so should be moved to
>>>> /etc/ipa/dnssec/softhsm_pin_so.
>>>
>>> Is it a good idea to store both PINs on the same spot?
>>> softhsm_pin_so is
>>> not necessary at run-time so it can be readable only by root:root.
>>
>> What do you mean by "the same spot"?
>
> Nevermind, I can't read.
>
Hello, the latest version:
https://github.com/bastiak/freeipa/tree/dnssec-9
--
Martin Basti
More information about the Freeipa-devel
mailing list