[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

Guido Schmitz g.schmitz at gtrs.de
Wed Aug 17 10:34:03 UTC 2016

> Now it is getting interesting :-)
> First of all, what version of FreeIPA packages and on what distro are you
> using? There are significant differences between package versions.

I am running Fedora 23 (inside an LXC on a Proxmox host) with FreeIPA
4.3.1 from COPR.

> The export is handled by ipa-ods-exporter service on IPA DNSSEC key master
> server. Look at its logs and see if it reports any errors.
> I'm not sure how OpenDNSSEC handles key import. IPA is waiting on OpenDNSSEC
> signer's socket for events which indicate key state change. If this does not
> happen the key is not exported.
> You can trigger this manually by calling command
> "ods-signer ipa-full-update"
> or
> "ods-signer update <zone name>"

First, when I triggered the sync, I got the following error message:

ipa-ods-exporter exception: Traceback (most recent call last):
  File "/usr/libexec/ipa/ipa-ods-exporter", line 721, in <module>
    sync_zone(log, ldap, dns_dn, zone_name)
  File "/usr/libexec/ipa/ipa-ods-exporter", line 539, in sync_zone
    ods_keys = get_ods_keys(zone_name)
  File "/usr/libexec/ipa/ipa-ods-exporter", line 278, in get_ods_keys
    key_data.update(ods2bind_timestamps(row['state'], key_type, ods_times))
  File "/usr/libexec/ipa/ipa-ods-exporter", line 163, in ods2bind_timestamps
    bind_times['idnsSecKeyCreated'] = ods_times['idnsSecKeyCreated']
KeyError: 'idnsSecKeyCreated'

This was caused by the field "generate" of table "keypairs" in
OpenDNSSEC's DB located at /var/opendnssec/kasp.db was empty (probably
because the key was not generated by OpenDNSSEC).

After I fixed this by entering some date into the field, the manually
triggered sync went through and the key appeared in the LDAP subtree
cn=keys,idnsname=myzone.com,cn=dns. The key, however, was still not used
by BIND.

It turned out, that I also had to set a publish time in field publish of
table dnsseckeys of /var/opendnssec/kasp.db. After this, BIND seems to
use this key now :-)

Still, there is one problem:
My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
in LDAP (under attribute idnsSecAlgorithm in the entry
cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems
to ignore this attribute and assumes that it is always algorithm 8.

For documentation purposes, these are the steps I perfomed:

* Get the KSK keyfile from old setup (Kmyzone.com.+007+12345.private)

* Convert it to PEM format:
softhsm2-keyconv  --in Kmyzone.com.+007+12345.private --out ksk.pem

* Import the KSK key to SoftHSM (using the patched softhsm2-util)
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
/usr/src/SoftHSMv2/src/bin/util/softhsm2-util  --import ksk.pem --slot
381930204 --pin $(cat /var/lib/ipa/dnssec/softhsm_pin) --label a00001
--id a00001

(The patched softhsm2-util used a different slot number on my system. It
usually is 0, but on my setup, the patched softhsm2-util named the slot
381930204. Note that I choose a00001 as key id here. I will refer to
this id later)

* Add the key to OpenDNSSEC
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
import --cka_id a00001 --repository SoftHSM --zone myzone.com --bits
2048 --algorithm 7 --keystate active --keytype KSK --time 20140731131634

(Note that you need to adopt some values here, depending on your key.
These are bits, algorithm and time.)

* Switch off ods-enforcerd, so we can safely modify OpenDNSSEC's DB:
service ods-enforcerd stop

* Modify OpenDNSSEC's DB to set "generate" in table "keypairs" and
"publish" in table "dnsseckeys":

sqlite3 /var/opendnssec/kasp.db
 # lookup internal key id (below I will assume that it is 1)
 select * from keypairs where HSMkey_id='a00001';

 update keypairs set generate='2014-07-31 13:16:34' where id=1;

 update dnsseckeys set publish='2014-07-31 13:16:34' where keypair_id=1;

* Turn ods-enforcerd on again
service ods-enforcerd start

* Trigger full update
ods-signer ipa-full-update


More information about the Freeipa-users mailing list