[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys
Guido Schmitz
g.schmitz at gtrs.de
Fri Aug 12 11:26:38 UTC 2016
Hi!
I want to migrate my existing DNS setup to FreeIPA. As this existing
setup already uses DNSSEC, I want to import my current DNSSEC keys into
FreeIPA to have a smooth transition over to IPA's DNS. (The authorative
DNS servers for the zones are set up as slaves that get the zone via
AXFR and can seamlessly switch to AXFR from IPA.)
In my test migration, I have created the DNS zone I want to migrate in
FreeIPA and have enabled DNSSEC.
As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes
care of key management and key rollover [1]. Hence, I have imported my
existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2]
and OpenDNSSEC correctly shows the imported keys along with the DNSSEC
keys generated by IPA.
I thought that ipa-dnskeysyncd would take care of syncing the keys from
OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the
keys initially created by IPA (while enabling DNSSEC for this zone)
exist and hence, only these keys are used to sign the zone.
Do I need to manually insert my existing DNSSEC keys into the LDAP or
take some other additional steps?
Cheers,
-Guido
[1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation
[2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
More information about the Freeipa-users
mailing list