On 10/09/2014 03:57 PM, Petr Spacek wrote:

it would be great if people could look at current state of DNSSEC patches for

It consist of several relatively independent parts:
- python-pkcs#11 interface written by Martin Basti:

- DNSSEC daemons written by me:

- FreeIPA integration written by Martin Basti:

For now brief visual inspection is good enough :-)

Current state
- It works only on single DNSSEC "master" server because we still do not have
the key wrapping machinery.
- The "master" server has to be configured manually using ipa-dnssec-setmaster
- DNSSEC keys are generated on the fly when DNSSEC is enabled for particular 
- Metadata for BIND are generated on the fly.
- BIND automatically signs the zone.

It depends on latest softhsm, opendnssec and bind-pkcs11-util & bind-pkcs11
packages which are not in Fedora 21 yet.

Thank you for your time!

Good! I am glad to see a progress. I am also CCing Simo and Rob to be in the loop. It would be especially useful if you also show Simo your special file permissions (setfacl) and sharing config files between daemons. I rather nervous about this part.

To comment on FreeIPA integration - I saw you are adding a new config file:
- install/tools/ipa-dnssec-setmaster

I wonder how consistent and future proof that is. Setting master is currently being done in "ipa-*replica-manage", check for example "ipa-csreplica-manage". We want to have these operations on a sensible place as we will be refactoring them in 4.2.

As for the service installation code itself, I would rather see it in

# ipa-dns-install

which could have new --dnssec-master and --no-dnssec flag.


Freeipa-devel mailing list

Reply via email to