[Freeipa-users] DNSSEC KSK rollover
Peter Fern
freeipa at 0xc0dedbad.com
Mon Feb 29 10:54:27 UTC 2016
On 02/29/2016 21:22, Petr Spacek wrote:
> On 28.2.2016 14:51, Peter Fern wrote:
>> Hi all,
>> A new KSK has been auto-generated, and it's transitioned through
>> 'published' and is now sitting in the 'ready' state, but does not appear
>> as a DNSKEY record on the zone. I can see that ods-enforcerd has picked
>> up the state change correctly and logged a DSChanged event with the
>> correct output for the new DNSKEY record, and it appears as expected in
>> localhsm, but is not published on the zone.
>>
>> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with
>> the rollover?
> Hi,
>
> I would recommend you to wait until fix
> https://fedorahosted.org/freeipa/ticket/5334
> is released in 4.3.1 or so.
>
> After that you can use procedure described on page
> http://www.freeipa.org/page/Howto/DNSSEC
> to run ds-seen command.
>
> I hope this helps.
That ticket was reported by me ;-)
The issue here is that the new KSK did not appear as a DNSKEY record, so
running ds-seen would have been a bad idea, since the zone would be
entirely invalid if the old key was rotated out before the new key was
published, and the new DS record would be invalid without the
corresponding KSK anyway.
I did also have some more rotated keys get stuck per #5334, and had
cleared them prior to this issue, but I was having trouble getting the
zone resigned correctly, and I was hoping to roll all the keys to deal
with that. In the end, I had to un-sign the domain and re-sign it to
recover.
I was wondering if there were possibly some known issues/tricks with KSK
rollover, but wasn't certain if my #5334 issues may have thrown a
spanner in the works at some key point in the lifecycle. I've got some
more KSKs due to roll in a couple of months, so hopefully I can get
4.3.1 deployed before then, and I'll be able to see if the process goes
smoothly without the extraneous issues.
I've also discovered the replication ACI issues in 4.3.0 (#5575 and
friends), which are causing me some grief. Is there a feel for how
close we are to a 4.3.1 release?
More information about the Freeipa-users
mailing list