[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys
g.schmitz at gtrs.de
Wed Aug 17 10:34:03 UTC 2016
> Now it is getting interesting :-)
> First of all, what version of FreeIPA packages and on what distro are you
> using? There are significant differences between package versions.
I am running Fedora 23 (inside an LXC on a Proxmox host) with FreeIPA
4.3.1 from COPR.
> The export is handled by ipa-ods-exporter service on IPA DNSSEC key master
> server. Look at its logs and see if it reports any errors.
> I'm not sure how OpenDNSSEC handles key import. IPA is waiting on OpenDNSSEC
> signer's socket for events which indicate key state change. If this does not
> happen the key is not exported.
> You can trigger this manually by calling command
> "ods-signer ipa-full-update"
> "ods-signer update <zone name>"
First, when I triggered the sync, I got the following error message:
ipa-ods-exporter exception: Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-ods-exporter", line 721, in <module>
sync_zone(log, ldap, dns_dn, zone_name)
File "/usr/libexec/ipa/ipa-ods-exporter", line 539, in sync_zone
ods_keys = get_ods_keys(zone_name)
File "/usr/libexec/ipa/ipa-ods-exporter", line 278, in get_ods_keys
key_data.update(ods2bind_timestamps(row['state'], key_type, ods_times))
File "/usr/libexec/ipa/ipa-ods-exporter", line 163, in ods2bind_timestamps
bind_times['idnsSecKeyCreated'] = ods_times['idnsSecKeyCreated']
This was caused by the field "generate" of table "keypairs" in
OpenDNSSEC's DB located at /var/opendnssec/kasp.db was empty (probably
because the key was not generated by OpenDNSSEC).
After I fixed this by entering some date into the field, the manually
triggered sync went through and the key appeared in the LDAP subtree
cn=keys,idnsname=myzone.com,cn=dns. The key, however, was still not used
It turned out, that I also had to set a publish time in field publish of
table dnsseckeys of /var/opendnssec/kasp.db. After this, BIND seems to
use this key now :-)
Still, there is one problem:
My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
in LDAP (under attribute idnsSecAlgorithm in the entry
cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems
to ignore this attribute and assumes that it is always algorithm 8.
For documentation purposes, these are the steps I perfomed:
* Get the KSK keyfile from old setup (Kmyzone.com.+007+12345.private)
* Convert it to PEM format:
softhsm2-keyconv --in Kmyzone.com.+007+12345.private --out ksk.pem
* Import the KSK key to SoftHSM (using the patched softhsm2-util)
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
/usr/src/SoftHSMv2/src/bin/util/softhsm2-util --import ksk.pem --slot
381930204 --pin $(cat /var/lib/ipa/dnssec/softhsm_pin) --label a00001
(The patched softhsm2-util used a different slot number on my system. It
usually is 0, but on my setup, the patched softhsm2-util named the slot
381930204. Note that I choose a00001 as key id here. I will refer to
this id later)
* Add the key to OpenDNSSEC
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
import --cka_id a00001 --repository SoftHSM --zone myzone.com --bits
2048 --algorithm 7 --keystate active --keytype KSK --time 20140731131634
(Note that you need to adopt some values here, depending on your key.
These are bits, algorithm and time.)
* Switch off ods-enforcerd, so we can safely modify OpenDNSSEC's DB:
service ods-enforcerd stop
* Modify OpenDNSSEC's DB to set "generate" in table "keypairs" and
"publish" in table "dnsseckeys":
# lookup internal key id (below I will assume that it is 1)
select * from keypairs where HSMkey_id='a00001';
update keypairs set generate='2014-07-31 13:16:34' where id=1;
update dnsseckeys set publish='2014-07-31 13:16:34' where keypair_id=1;
* Turn ods-enforcerd on again
service ods-enforcerd start
* Trigger full update
More information about the Freeipa-users