Hi Flo, Thanks. After disabling dnssec then faking it out with a copy of the empty kasp.db I was able to get it working. Best regards, Eric ------- Original Message ------- On Monday, October 3rd, 2022 at 2:52 AM, Florence Blanc-Renaud <[email protected]> wrote:
> Hi, > > to enable DNSSEC, the following command has to be run on the IPA server that > will be the DNSSEC key master: > # ipa-dns-install --dnssec-master [other options] > > You can find more information here: https://www.freeipa.org/page/Howto/DNSSEC > > HTH, > flo > > On Sun, Oct 2, 2022 at 8:09 PM Eric Ashley via FreeIPA-users > <[email protected]> wrote: > > > Greetings all, > > I'm running the following FreeIPA: > > Installed Packages > > > > freeipa-client.x86_64 4.9.10-4.fc36 @updates > > freeipa-client-common.noarch 4.9.10-4.fc36 @updates > > > > freeipa-common.noarch 4.9.10-4.fc36 @updates > > > > freeipa-healthcheck.noarch 0.11-2.fc36 @updates > > > > freeipa-healthcheck-core.noarch 0.11-2.fc36 @updates > > > > freeipa-selinux.noarch 4.9.10-4.fc36 @updates > > > > freeipa-server.x86_64 4.9.10-4.fc36 @updates > > > > freeipa-server-common.noarch 4.9.10-4.fc36 @updates > > > > freeipa-server-dns.noarch 4.9.10-4.fc36 @updates > > > > libipa_hbac.x86_64 2.7.4-1.fc36 @updates > > > > python3-ipaclient.noarch 4.9.10-4.fc36 @updates > > > > python3-ipalib.noarch 4.9.10-4.fc36 @updates > > > > python3-ipaserver.noarch 4.9.10-4.fc36 @updates > > > > python3-libipa_hbac.x86_64 2.7.4-1.fc36 @updates > > > > sssd-ipa.x86_64 2.7.4-1.fc36 @updates > > > > My other internal DNS server is 9.16.33-1.fc36 running on the same OS > > revision. Both my FreeIPA subdomain and the subdomain served by the other > > Bind 9 instance are serving subdomains of my issued domain name but are > > hidden. My public DNS (also Bind9, but on Debian) is in my DMZ and > > accessible via local LAN links to the all FreeIPA clients. My publicly > > accessible hosts are not FreeIPA clients and don't lookup internal PTR > > records or need any integration with FreeIPA. If something really requires > > the DS records for the subdomains to be available, I could create a view on > > the public server that serves that data, including the subdomain authority > > delegation. I'd rather not take this step unless it's really a necessity. > > > > I don't have any FreeIPA secondary servers at present since I can't see a > > point in having 2 copies of the same server running as VMs on the same host > > machine. As I lack another machine with sufficient power to run FreeIPA > > server, I just backup regularly. Therefore, the packages that manage a > > fleet of servers are unnecessary overhead, since I have just 1. > > > > ipa dnszone-show returns the following as the first line of output, > > followed by the other settings looking as expected: > > ipa: WARNING: No DNSSEC key master is installed. DNSSEC zone signing will > > not work until the DNSSEC key master is installed. > > > > I have created ZSK and KSK keys for the ipa subdomain. I'm wondering if > > there's an easier way to import them than manually creating the DNSKEY 256 > > and 257 records. I've searched, fruitlessly, for the information in the doc > > and can only find passing references to DNSSEC, with no key import > > instructions. > > > > rndc dnssec -status <myipa>.domain.com > > > > > > reports > > > > > > Zone does not have dnssec-policy > > > > > > > > Do I change that in named config files or is there a prefered way to set it > > via freeipa? After I sent my first attempt at this message, I stumbled upon > > the fact that Bind had updated to support a fully automatic key management. > > At my last digging, it still required the admin to generate and install > > keys manually. All my other servers are properly using the default > > dnssec-policy and inline-signing is yes. > > > > At some point I'll remember that I can't send mailing list emails from > > Thunderbird without ProtonMail signing it. > > > > Thanks in advance, > > Eric > > > > > > > > Sent with Proton Mail secure email. > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
