Hi! I want to migrate my existing DNS setup to FreeIPA. As this existing setup already uses DNSSEC, I want to import my current DNSSEC keys into FreeIPA to have a smooth transition over to IPA's DNS. (The authorative DNS servers for the zones are set up as slaves that get the zone via AXFR and can seamlessly switch to AXFR from IPA.)
In my test migration, I have created the DNS zone I want to migrate in FreeIPA and have enabled DNSSEC. As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes care of key management and key rollover [1]. Hence, I have imported my existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2] and OpenDNSSEC correctly shows the imported keys along with the DNSSEC keys generated by IPA. I thought that ipa-dnskeysyncd would take care of syncing the keys from OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the keys initially created by IPA (while enabling DNSSEC for this zone) exist and hence, only these keys are used to sign the zone. Do I need to manually insert my existing DNSSEC keys into the LDAP or take some other additional steps? Cheers, -Guido [1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation [2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
