On 12.8.2016 13:26, Guido Schmitz wrote:
> Hi!
> I want to migrate my existing DNS setup to FreeIPA. As this existing
> setup already uses DNSSEC, I want to import my current DNSSEC keys into
> FreeIPA to have a smooth transition over to IPA's DNS. (The authorative
> DNS servers for the zones are set up as slaves that get the zone via
> AXFR and can seamlessly switch to AXFR from IPA.)
> In my test migration, I have created the DNS zone I want to migrate in
> FreeIPA and have enabled DNSSEC.
> As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes
> care of key management and key rollover [1]. Hence, I have imported my
> existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2]
> and OpenDNSSEC correctly shows the imported keys along with the DNSSEC
> keys generated by IPA.
> I thought that ipa-dnskeysyncd would take care of syncing the keys from
> OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the
> keys initially created by IPA (while enabling DNSSEC for this zone)
> exist and hence, only these keys are used to sign the zone.
> Do I need to manually insert my existing DNSSEC keys into the LDAP or
> take some other additional steps?


In theory ipa-dnskeysyncd should take care of it. The important step is to
ensure that all the imported keys have CKA_EXTRACTABLE PKCS#11 flag (in
SoftHSM) set to TRUE otherwise the synchronization will not work.

Please note that we never tested this so following text is just untested theory:

Start with usual DNSSEC debugging for FreeIPA:

Besides all other things, I would double-check that (on FreeIPA DNSSEC key
master server):
1) ods-ksmutil key list --verbose
shows the imported keys in state active or publish

2) Command
python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py
shows that keys are CKA_EXTRACTABLE.

3) If all of the above seems to be okay, check logs for ipa-dnskeysyncd and
ipa-ods-exporter services:
journalctl -u ipa-dnskeysyncd -u ipa-ods-exporter

ipa-ods-exporter is the piece doing dirty export work.

I hope it helps.

Petr^2 Spacek

> Cheers,
> -Guido
> [1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation
> [2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to