On 10/10/14 09:17, Martin Kosek wrote:
On 10/09/2014 03:57 PM, Petr Spacek wrote:
Hello,

it would be great if people could look at current state of DNSSEC patches for
FreeIPA.

It consist of several relatively independent parts:
- python-pkcs#11 interface written by Martin Basti:
https://github.com/spacekpe/freeipa-pkcs11

- DNSSEC daemons written by me:
https://github.com/spacekpe/ipadnssecd

- FreeIPA integration written by Martin Basti:
https://github.com/bastiak/freeipa/tree/dnssec

For now brief visual inspection is good enough :-)

Current state
=============
- It works only on single DNSSEC "master" server because we still do not have
the key wrapping machinery.
- The "master" server has to be configured manually using ipa-dnssec-setmaster
utility.
- DNSSEC keys are generated on the fly when DNSSEC is enabled for particular zone.
- Metadata for BIND are generated on the fly.
- BIND automatically signs the zone.

It depends on latest softhsm, opendnssec and bind-pkcs11-util & bind-pkcs11
packages which are not in Fedora 21 yet.

Thank you for your time!


Good! I am glad to see a progress. I am also CCing Simo and Rob to be in the loop. It would be especially useful if you also show Simo your special file permissions (setfacl) and sharing config files between daemons. I rather nervous about this part.

We will *not* use setfacl, there were some issues with softhsm, which Petr^2 found yesterday.


To comment on FreeIPA integration - I saw you are adding a new config file:
- install/tools/ipa-dnssec-setmaster

I wonder how consistent and future proof that is. Setting master is currently being done in "ipa-*replica-manage", check for example "ipa-csreplica-manage". We want to have these operations on a sensible place as we will be refactoring them in 4.2.

As for the service installation code itself, I would rather see it in

# ipa-dns-install

which could have new --dnssec-master and --no-dnssec flag.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


--
Martin Basti

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to