[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

Petr Spacek pspacek at redhat.com
Wed Aug 17 11:23:26 UTC 2016 

On 17.8.2016 12:34, Guido Schmitz wrote:
>>
>> Now it is getting interesting :-)
>>
>> First of all, what version of FreeIPA packages and on what distro are you
>> using? There are significant differences between package versions.
> 
> I am running Fedora 23 (inside an LXC on a Proxmox host) with FreeIPA
> 4.3.1 from COPR.
> 
>>
>> The export is handled by ipa-ods-exporter service on IPA DNSSEC key master
>> server. Look at its logs and see if it reports any errors.
>>
>> I'm not sure how OpenDNSSEC handles key import. IPA is waiting on OpenDNSSEC
>> signer's socket for events which indicate key state change. If this does not
>> happen the key is not exported.
>>
>> You can trigger this manually by calling command
>> "ods-signer ipa-full-update"
>> or
>> "ods-signer update <zone name>"
> 
> First, when I triggered the sync, I got the following error message:
> 
> ipa-ods-exporter exception: Traceback (most recent call last):
>   File "/usr/libexec/ipa/ipa-ods-exporter", line 721, in <module>
>     sync_zone(log, ldap, dns_dn, zone_name)
>   File "/usr/libexec/ipa/ipa-ods-exporter", line 539, in sync_zone
>     ods_keys = get_ods_keys(zone_name)
>   File "/usr/libexec/ipa/ipa-ods-exporter", line 278, in get_ods_keys
>     key_data.update(ods2bind_timestamps(row['state'], key_type, ods_times))
>   File "/usr/libexec/ipa/ipa-ods-exporter", line 163, in ods2bind_timestamps
>     bind_times['idnsSecKeyCreated'] = ods_times['idnsSecKeyCreated']
> KeyError: 'idnsSecKeyCreated'
> 
> 
> This was caused by the field "generate" of table "keypairs" in
> OpenDNSSEC's DB located at /var/opendnssec/kasp.db was empty (probably
> because the key was not generated by OpenDNSSEC).
> 
> After I fixed this by entering some date into the field, the manually
> triggered sync went through and the key appeared in the LDAP subtree
> cn=keys,idnsname=myzone.com,cn=dns. The key, however, was still not used
> by BIND.
> 
> It turned out, that I also had to set a publish time in field publish of
> table dnsseckeys of /var/opendnssec/kasp.db. After this, BIND seems to
> use this key now :-)
> 
> 
> 
> Still, there is one problem:
> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
> in LDAP (under attribute idnsSecAlgorithm in the entry
> cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems
> to ignore this attribute and assumes that it is always algorithm 8.

Hmm, algorithm mismatch will cause DNSSEC validation to break horribly. The
generated records will not match what is indicated in DS record of the parent
zone...

Please look into
/var/named/dyndb-ldap/ipa/master/myzone.com/keys
and inspect BIND key files (*.private). Cross-check values in files with
values shown by OpenDNSSEC. All the values should match.

If they do not match, we have a bug somewhere in the synchronization
mechanism, which is possible.


Thank you very much for your effort. I've wrapped this thread into a ticket:
https://fedorahosted.org/freeipa/ticket/6223
so we do not forget to implement necessary tweaks to make migrations to
FreeIPA easier.

I really appreciate your work on this!

Petr^2 Spacek

> For documentation purposes, these are the steps I perfomed:
> 
> * Get the KSK keyfile from old setup (Kmyzone.com.+007+12345.private)
> 
> * Convert it to PEM format:
> softhsm2-keyconv  --in Kmyzone.com.+007+12345.private --out ksk.pem
> 
> * Import the KSK key to SoftHSM (using the patched softhsm2-util)
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
> /usr/src/SoftHSMv2/src/bin/util/softhsm2-util  --import ksk.pem --slot
> 381930204 --pin $(cat /var/lib/ipa/dnssec/softhsm_pin) --label a00001
> --id a00001
> 
> (The patched softhsm2-util used a different slot number on my system. It
> usually is 0, but on my setup, the patched softhsm2-util named the slot
> 381930204. Note that I choose a00001 as key id here. I will refer to
> this id later)
> 
> * Add the key to OpenDNSSEC
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
> import --cka_id a00001 --repository SoftHSM --zone myzone.com --bits
> 2048 --algorithm 7 --keystate active --keytype KSK --time 20140731131634
> 
> (Note that you need to adopt some values here, depending on your key.
> These are bits, algorithm and time.)
> 
> * Switch off ods-enforcerd, so we can safely modify OpenDNSSEC's DB:
> service ods-enforcerd stop
> 
> * Modify OpenDNSSEC's DB to set "generate" in table "keypairs" and
> "publish" in table "dnsseckeys":
> 
> sqlite3 /var/opendnssec/kasp.db
>  # lookup internal key id (below I will assume that it is 1)
>  select * from keypairs where HSMkey_id='a00001';
> 
>  update keypairs set generate='2014-07-31 13:16:34' where id=1;
> 
>  update dnsseckeys set publish='2014-07-31 13:16:34' where keypair_id=1;
> 
> * Turn ods-enforcerd on again
> service ods-enforcerd start
> 
> * Trigger full update
> ods-signer ipa-full-update
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list