[Freeipa-users] DNSSEC Question (KSK ZSK)
Martin Basti
mbasti at redhat.com
Tue Dec 29 16:42:52 UTC 2015
On 29.12.2015 17:36, Simo Sorce wrote:
> On Tue, 2015-12-29 at 14:30 +0100, Günther J. Niederwimmer wrote:
>> Hello,
>>
>> Is it possible to install a DSNSEC Master with my before created KSK ZSK?
>>
>> Background:
>>
>> I have installed a IPA Master on my System now I have change the Hardware and
>> make a new installation with new Hardware?
> Unless you want to trash your current install for some reason, it would
> be easier to simply create an ipa replica on the new hardware so that
> all keys get transferred too.
>
> When you retire your old master you will have to reconfigure the
> remaining replica to become the server that rotate the DNS keys.
If you still have accessible master, create new replica with DNS, CA(if
master has CA too).
Please follow following guide to migrate DNSSEC master
http://www.freeipa.org/page/Howto/DNSSEC#Migrate_DNSSEC_master_to_another_IPA_server
Martin
>
>> I have only a backup from the Files in
>> /var/named/dyndb-ldap/ipa/master/example.com/keys/
>>
>> When I now enable a new DNSSEC Master create freeIPA new KSK ZSK for the
>> Domain ?
> If you have already destroyed your original master it is probably easier
> to just regenerate all keys and upload the new public keys on the glue
> record of the delegating provider.
>
> Simo.
>
>> Then I have to wait after the holidays to UPDATE the DS Record on my ISP :-(.
>>
>> Thanks for a answer,
>>
>> --
>> mit freundlichen Grüßen / best regards,
>>
>> Günther J. Niederwimmer
>>
>
More information about the Freeipa-users
mailing list