[Freeipa-users] DNSSEC Question (KSK ZSK)
Petr Spacek
pspacek at redhat.com
Mon Jan 4 10:08:12 UTC 2016
On 29.12.2015 17:39, Martin Basti wrote:
>
>
> On 29.12.2015 14:30, Günther J. Niederwimmer wrote:
>> Hello,
>>
>> Is it possible to install a DSNSEC Master with my before created KSK ZSK?
>>
>> Background:
>>
>> I have installed a IPA Master on my System now I have change the Hardware and
>> make a new installation with new Hardware?
>>
>> I have only a backup from the Files in
>> /var/named/dyndb-ldap/ipa/master/example.com/keys/
>>
>> When I now enable a new DNSSEC Master create freeIPA new KSK ZSK for the
>> Domain ?
>>
>> Then I have to wait after the holidays to UPDATE the DS Record on my ISP :-(.
>>
>> Thanks for a answer,
>>
> I'm not sure if this is possible,
>
> IPA uses openDNSSEC, and it needs softhsm database and database of keys
> metadata, which are not located in /var/named/...
>
> New installation of DNSSEC master will create new keys.
>
> My colleague is more familiar with bind-dyndb-ldap, but he will be available
> after holidays too.
We did not try import, so there is no 100 % certain answer.
In general, it should work if you create the zone in IPA first, then import
new keys into OpenDNSSEC using OpenDNSSEC's means, then delete keys generated
by IPA.
Let me repeat that it is not tested. I hope this helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list