On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote: > Hello, > I have following issues: > > #1 Upgrading existing replicas to support DNSSEC won't work for current > design (replica-file as storage for temporal replica key). > Temporal private key needs to be copied to replica, and no encrypted > master-key for replica is prepared in LDAP, because user doesn't need to > run ipa-replica-prepare. > > After discussion with Petr2, the solution is: > a) Each replica (except first - which generates master-key) generates > replica public and private keys. > b) Replica uploads public key to LDAP > c) Replica with generated master key, use the public key (b) to encrypt > master-key and store it to LDAP. Replica with master-key must detect, if > there is any new public replica key. > d) Replica (b) is now able to get master-key using own private replica > key > > > #2 We need to choose only one replica which will generate, (rotate, ...) > DNSSEC keys. and generate master key too
> My proposal is to test during installation/upgrade if any dnssec/master > keys are in LDAP. If no key was found, the first server is > installed/upgraded and DNSSEC key generator is required. > > But there is issue with parallel upgrade multiple replicas (or if > replication temporarily doesn't work). There is no guarantee if replicas > will be able to detect if any replica became DNSSEC key generator. > > > Please write me your opinions. > -- Martin^2 Basti _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel