On 21.12.2015 15:45, Martin Basti wrote:
On 21.12.2015 15:33, Petr Spacek wrote:
this patch set fixes key rotation in DNSSEC.
You can use attached template files for OpenDNSSEC config to shorten
intervals between key rotations.
Please let me know if you have any questions, I'm all ears!
Please fix whitespace error:
Applying: DNSSEC: logging improvements in ldapkeydb.py
warning: 1 line adds whitespace errors.
*) DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
Is is safe to do not use try - except with ipatuil.run()? What if
ods-signer command failed?
*) DNSSEC: Improve error reporting from ipa-ods-exporter
IMO log.exception(ex) is enough, do we need to add traceback to msg?
*) DNSSEC: Make sure that current state in OpenDNSSEC matches key state
I think this is okay because we want to use KSK instantly, but just to
be sure, is Publish->Activate okay?
+ bind_times['idnsSecKeyActivate'] =
Just to be sure how this will be handle during KSK key rotation?
*) DNSSEC: Make sure that current key state in LDAP matches key state in
*) DNSSEC: remove obsolete TODO note
*) DNSSEC: add debug mode to ldapkeydb.py
You can remove __str__ method, python will use __repr__ as defaul
for attr in ['ipaPrivateKey', 'ipaPublicKey', 'ipk11publickeyinfo']:
Do we need to sanitize *public*Key and publicKeyinfo?
in odsmgr.py is used ipa_log_manager, can we use the same for consistency?
Do we need logging there, everything is printed via print except debug
info about connecting, can you just redirect it to stderr, and usable
data leave in stdout?
*) DNSSEC: logging improvements in ldapkeydb.py
IMO commit message should be: ".... in ipa-ods-exporter"
*) DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
A) coding style: please use (), instead of "\"
assert set(pubkeys_local) == set(privkeys_local), (
"IDs of private and public keys for DNS zones in local HSM
"not match to key pairs: %s vs. %s" %
B) coding style
assert not matched_already, (
"key %s is in more than one keyset" % hexlify(keyid)
how about case when keyid is not in any keyset, then keyid will not be
replaced by object and it blow up somewhere else
D) +class KeyDeleter(object):
I would like to have a check there which blows up nicely if
_update_key() is called twice on the same object. With current
implementation you will get NoneType has no delete_entry method.
I somehow does not like the placeholder object. Could we just extend
Key object with attribute "to_be_deleted" or something similar, and if
this attribute is set to True, Key._update_key() can remove, instead of
creation a new object.
Key.prepare_deletion() can set the value "to_be_deleted" to True.
*) DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
How often is keysyncer initialized? Might happen the case where one of
dnssec_zones has been disabled and keysyncer is not aware of this change?
You may want to use DNSName from ipapython.dnsutil instead of pure dns.name
*) DNSSEC: ipa-ods-exporter: add ldap-cleanup command
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code