On 12.8.2016 13:26, Guido Schmitz wrote: > Hi! > > I want to migrate my existing DNS setup to FreeIPA. As this existing > setup already uses DNSSEC, I want to import my current DNSSEC keys into > FreeIPA to have a smooth transition over to IPA's DNS. (The authorative > DNS servers for the zones are set up as slaves that get the zone via > AXFR and can seamlessly switch to AXFR from IPA.) > > In my test migration, I have created the DNS zone I want to migrate in > FreeIPA and have enabled DNSSEC. > > As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes > care of key management and key rollover . Hence, I have imported my > existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO  > and OpenDNSSEC correctly shows the imported keys along with the DNSSEC > keys generated by IPA. > > I thought that ipa-dnskeysyncd would take care of syncing the keys from > OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the > keys initially created by IPA (while enabling DNSSEC for this zone) > exist and hence, only these keys are used to sign the zone. > > Do I need to manually insert my existing DNSSEC keys into the LDAP or > take some other additional steps?
Hello! In theory ipa-dnskeysyncd should take care of it. The important step is to ensure that all the imported keys have CKA_EXTRACTABLE PKCS#11 flag (in SoftHSM) set to TRUE otherwise the synchronization will not work. Please note that we never tested this so following text is just untested theory: Start with usual DNSSEC debugging for FreeIPA: http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work Besides all other things, I would double-check that (on FreeIPA DNSSEC key master server): 1) ods-ksmutil key list --verbose shows the imported keys in state active or publish 2) Command python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py shows that keys are CKA_EXTRACTABLE. 3) If all of the above seems to be okay, check logs for ipa-dnskeysyncd and ipa-ods-exporter services: journalctl -u ipa-dnskeysyncd -u ipa-ods-exporter ipa-ods-exporter is the piece doing dirty export work. I hope it helps. Petr^2 Spacek > > Cheers, > -Guido > > > >  https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation >  https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project