[Freeipa-devel] [PATCH WIP] DNSSEC key synchronization daemon
Petr Spacek
pspacek at redhat.com
Tue May 20 12:12:30 UTC 2014
Hello,
I'm working on DNSSEC key-synchronization daemon for IPA 4.0.
At the moment, I have a daemon which is able to read list of zones from LDAP
and configure OpenDNSSEC (aka ODS) to generate keys for those zones. Neither
the reverse direction ODS->LDAP nor LDAP->BIND synchronization is implemented yet.
I would like to hear your opinions on this code:
https://github.com/spacekpe/ipadnssecd.git
Integration with IPA installer is missing at the moment so you have to install
in manually:
1) Read file ods-install: How to configure ODS on IPA server.
2) Read file ipadnssecd-install: How to configure "ipadnssecd" on IPA server.
3) Run keydaemon.py *under ods user*: sudo -u ods ./keydaemon.py
It should automatically synchronize list of DNSSEC-enabled zones in LDAP with
list of zones managed by ODS.
Use command:
$ sudo -u ods ods-ksmutil zone list
to see list of zones in ODS.
Please keep in mind that only zones with attribute idnsSecInlineSigning = TRUE
should be present in ODS. I.e. zone should be deleted from ODS if you change
attribute idnsSecInlineSigning to FALSE.
Synchronization should be near real-time.
Thank you for your time!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list