[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys
Petr Spacek
pspacek at redhat.com
Wed Aug 17 13:08:42 UTC 2016
On 17.8.2016 14:38, Guido Schmitz wrote:
>>> Still, there is one problem:
>>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
>>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
>>> in LDAP (under attribute idnsSecAlgorithm in the entry
>>> cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems
>>> to ignore this attribute and assumes that it is always algorithm 8.
>>
>> Hmm, algorithm mismatch will cause DNSSEC validation to break horribly. The
>> generated records will not match what is indicated in DS record of the parent
>> zone...
>>
>> Please look into
>> /var/named/dyndb-ldap/ipa/master/myzone.com/keys
>> and inspect BIND key files (*.private). Cross-check values in files with
>> values shown by OpenDNSSEC. All the values should match.
>>
>> If they do not match, we have a bug somewhere in the synchronization
>> mechanism, which is possible.
>
> The imported KSK does not exist in this directory (neither on the master
> server nor on the replica). The keys created by IPA are present in this
> directory.
>
> Now, I also checked, if the imported KSK is used to sign the ZSK, but
> there are no matching RRSIG records. (When I wrote earlier that BIND
> uses the imported KSK, I only checked whether a DNSKEY record for this
> KSK is present. The DNSKEY record is present, but with the wrong algorithm.)
Okay, so we need to go back to see where the problem is.
Part A - key material:
0. I assume that you double-checked key attributes in OpenDNSSEC.
1. ipa-ods-exporter service on IPA DNSSEC key master server should not report
any errors when exporting keys (triggered by ods-signer ipa-full-update)
2. Output of these two commands should match:
all IPA DNS servers$ \
python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py
any IPA DNS server$ \
python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/ldapkeydb.py
This verifies that key material was replicated correctly.
Part B - key metadata:
These are read by ipa-dnskeysyncd daemon from LDAP and stored in BIND key files.
Please check logs of ipa-dnskeysyncd service and watch out for errors.
debug=True in /etc/default.conf will tell you more if needed.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list