[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys
Guido Schmitz
g.schmitz at gtrs.de
Mon Aug 15 10:14:41 UTC 2016
On 12.08.2016 13:58, Petr Spacek wrote:
> On 12.8.2016 13:26, Guido Schmitz wrote:
>> Hi!
>>
>> I want to migrate my existing DNS setup to FreeIPA. As this existing
>> setup already uses DNSSEC, I want to import my current DNSSEC keys into
>> FreeIPA to have a smooth transition over to IPA's DNS. (The authorative
>> DNS servers for the zones are set up as slaves that get the zone via
>> AXFR and can seamlessly switch to AXFR from IPA.)
>>
>> In my test migration, I have created the DNS zone I want to migrate in
>> FreeIPA and have enabled DNSSEC.
>>
>> As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes
>> care of key management and key rollover [1]. Hence, I have imported my
>> existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2]
>> and OpenDNSSEC correctly shows the imported keys along with the DNSSEC
>> keys generated by IPA.
>>
>> I thought that ipa-dnskeysyncd would take care of syncing the keys from
>> OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the
>> keys initially created by IPA (while enabling DNSSEC for this zone)
>> exist and hence, only these keys are used to sign the zone.
>>
>> Do I need to manually insert my existing DNSSEC keys into the LDAP or
>> take some other additional steps?
>
> Hello!
>
> In theory ipa-dnskeysyncd should take care of it. The important step is to
> ensure that all the imported keys have CKA_EXTRACTABLE PKCS#11 flag (in
> SoftHSM) set to TRUE otherwise the synchronization will not work.
That seems to be my problem: The CKA_EXTRACTABLE flag is not set on the
imported keys. I do not have any clue on how to set this flag.
I have used the following command to import the keys:
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
--import ksk.pem --slot 0 --pin *PIN* --label ipaDNSSEC --id *ID*
softhsm2-util does not seem to have any parameter to set the
CKA_EXTRACTABLE flag.
Are there other ways to import keys into the SoftHSM that allow setting
this flag? Or is there a possibility to modify the flag later (although
this would be contrary to the idea of an "HSM")?
-Guido
>
> Please note that we never tested this so following text is just untested theory:
>
> Start with usual DNSSEC debugging for FreeIPA:
> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
>
> Besides all other things, I would double-check that (on FreeIPA DNSSEC key
> master server):
> 1) ods-ksmutil key list --verbose
> shows the imported keys in state active or publish
>
> 2) Command
> python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py
> shows that keys are CKA_EXTRACTABLE.
>
> 3) If all of the above seems to be okay, check logs for ipa-dnskeysyncd and
> ipa-ods-exporter services:
> journalctl -u ipa-dnskeysyncd -u ipa-ods-exporter
>
> ipa-ods-exporter is the piece doing dirty export work.
>
> I hope it helps.
>
> Petr^2 Spacek
>
>
>>
>> Cheers,
>> -Guido
>>
>>
>>
>> [1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation
>> [2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
>>
>
>
More information about the Freeipa-users
mailing list