On 10/10/14 14:51, Simo Sorce wrote:
On Fri, 10 Oct 2014 09:17:34 +0200
Martin Kosek <mko...@redhat.com> wrote:

On 10/09/2014 03:57 PM, Petr Spacek wrote:

it would be great if people could look at current state of DNSSEC
patches for FreeIPA.

It consist of several relatively independent parts:
- python-pkcs#11 interface written by Martin Basti:

- DNSSEC daemons written by me:
Well I have to be honest, it would be easier if commit messages were in
English :-)

Honestly, those commit messages are not helpful, we plan to merge it into one IPA commit, so we don't use nice commit messages.

- FreeIPA integration written by Martin Basti:

For now brief visual inspection is good enough :-)

Current state
- It works only on single DNSSEC "master" server because we still
do not have the key wrapping machinery.
- The "master" server has to be configured manually using
ipa-dnssec-setmaster utility.
- DNSSEC keys are generated on the fly when DNSSEC is enabled for
particular zone.
- Metadata for BIND are generated on the fly.
- BIND automatically signs the zone.

It depends on latest softhsm, opendnssec and bind-pkcs11-util &
bind-pkcs11 packages which are not in Fedora 21 yet.

Thank you for your time!

Good! I am glad to see a progress. I am also CCing Simo and Rob to be
in the loop. It would be especially useful if you also show Simo your
special file permissions (setfacl) and sharing config files between
daemons. I rather nervous about this part.

To comment on FreeIPA integration - I saw you are adding a new config
- install/tools/ipa-dnssec-setmaster

I wonder how consistent and future proof that is. Setting master is
currently being done in "ipa-*replica-manage", check for example
"ipa-csreplica-manage". We want to have these operations on a
sensible place as we will be refactoring them in 4.2.

As for the service installation code itself, I would rather see it in

# ipa-dns-install

which could have new --dnssec-master and --no-dnssec flag.


Martin Basti

Freeipa-devel mailing list

Reply via email to