On 17/10/14 10:35, Petr Spacek wrote:
On 17.10.2014 10:08, Jan Cholasta wrote:
Dne 16.10.2014 v 20:01 Petr Spacek napsal(a):
On 16.10.2014 19:43, Jan Cholasta wrote:
Dne 16.10.2014 v 17:59 Martin Basti napsal(a):
On 10/10/14 09:17, Martin Kosek wrote:
On 10/09/2014 03:57 PM, Petr Spacek wrote:
it would be great if people could look at current state of DNSSEC
It consist of several relatively independent parts:
- python-pkcs#11 interface written by Martin Basti:
- DNSSEC daemons written by me:
- FreeIPA integration written by Martin Basti:
Here is updated repo with installers, please review:
TODO: integrate ipadnssecd daemons and pkcs11 helper, when finished
Not something you can fix in this commit, but shouldn't
named ipa-odsexportd, so that the naming is consistent with the rest
Side note: ipa-ods-exporter is not a daemon :-) It is single-shot
activated via socket. It is replacement for "ODS signer" and uses the
Anyway, I don't care much. Feel free pick a new name and let me know.
Nevermind, I thought it was a daemon.
Why do you use the default /etc/softhsm2.conf file, instead of
/etc/ipa/dnssec/softhsm2.conf and passing it to SoftHSM in the
I don't like the idea. The same library is used from named and
ods-enforcerd so we would have to modify environment variables for all
of them and do some monkey patching in /etc/systemd.
AFAIK current ipactl/framework is sooo clever so it deletes service
files related to all services "managed" by IPA if they are located in
/etc/systemd. As a result we don't have any way how to override values
supplies by other packages now.
IMO if we can have a private instance of something we should have it. To
configure named properly, you just have to add a line with
"SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf" to /etc/sysconfig/named.
Ok, I did not realize that we don't actually need systemd unit
overrides. We need to do the same with /etc/sysconfig/ods and unit
files for ipa-dnskeysynd and ipa-ods-exporter.
I think /etc/ipa/softhsm_pin_so should be moved to
Is it a good idea to store both PINs on the same spot?
not necessary at run-time so it can be readable only by root:root.
What do you mean by "the same spot"?
Nevermind, I can't read.
Hello, the latest version:
Freeipa-devel mailing list