> > Now it is getting interesting :-) > > First of all, what version of FreeIPA packages and on what distro are you > using? There are significant differences between package versions.
I am running Fedora 23 (inside an LXC on a Proxmox host) with FreeIPA 4.3.1 from COPR. > > The export is handled by ipa-ods-exporter service on IPA DNSSEC key master > server. Look at its logs and see if it reports any errors. > > I'm not sure how OpenDNSSEC handles key import. IPA is waiting on OpenDNSSEC > signer's socket for events which indicate key state change. If this does not > happen the key is not exported. > > You can trigger this manually by calling command > "ods-signer ipa-full-update" > or > "ods-signer update <zone name>" First, when I triggered the sync, I got the following error message: ipa-ods-exporter exception: Traceback (most recent call last): File "/usr/libexec/ipa/ipa-ods-exporter", line 721, in <module> sync_zone(log, ldap, dns_dn, zone_name) File "/usr/libexec/ipa/ipa-ods-exporter", line 539, in sync_zone ods_keys = get_ods_keys(zone_name) File "/usr/libexec/ipa/ipa-ods-exporter", line 278, in get_ods_keys key_data.update(ods2bind_timestamps(row['state'], key_type, ods_times)) File "/usr/libexec/ipa/ipa-ods-exporter", line 163, in ods2bind_timestamps bind_times['idnsSecKeyCreated'] = ods_times['idnsSecKeyCreated'] KeyError: 'idnsSecKeyCreated' This was caused by the field "generate" of table "keypairs" in OpenDNSSEC's DB located at /var/opendnssec/kasp.db was empty (probably because the key was not generated by OpenDNSSEC). After I fixed this by entering some date into the field, the manually triggered sync went through and the key appeared in the LDAP subtree cn=keys,idnsname=myzone.com,cn=dns. The key, however, was still not used by BIND. It turned out, that I also had to set a publish time in field publish of table dnsseckeys of /var/opendnssec/kasp.db. After this, BIND seems to use this key now :-) Still, there is one problem: My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7 in LDAP (under attribute idnsSecAlgorithm in the entry cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems to ignore this attribute and assumes that it is always algorithm 8. For documentation purposes, these are the steps I perfomed: * Get the KSK keyfile from old setup (Kmyzone.com.+007+12345.private) * Convert it to PEM format: softhsm2-keyconv --in Kmyzone.com.+007+12345.private --out ksk.pem * Import the KSK key to SoftHSM (using the patched softhsm2-util) sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/src/SoftHSMv2/src/bin/util/softhsm2-util --import ksk.pem --slot 381930204 --pin $(cat /var/lib/ipa/dnssec/softhsm_pin) --label a00001 --id a00001 (The patched softhsm2-util used a different slot number on my system. It usually is 0, but on my setup, the patched softhsm2-util named the slot 381930204. Note that I choose a00001 as key id here. I will refer to this id later) * Add the key to OpenDNSSEC sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key import --cka_id a00001 --repository SoftHSM --zone myzone.com --bits 2048 --algorithm 7 --keystate active --keytype KSK --time 20140731131634 (Note that you need to adopt some values here, depending on your key. These are bits, algorithm and time.) * Switch off ods-enforcerd, so we can safely modify OpenDNSSEC's DB: service ods-enforcerd stop * Modify OpenDNSSEC's DB to set "generate" in table "keypairs" and "publish" in table "dnsseckeys": sqlite3 /var/opendnssec/kasp.db # lookup internal key id (below I will assume that it is 1) select * from keypairs where HSMkey_id='a00001'; update keypairs set generate='2014-07-31 13:16:34' where id=1; update dnsseckeys set publish='2014-07-31 13:16:34' where keypair_id=1; * Turn ods-enforcerd on again service ods-enforcerd start * Trigger full update ods-signer ipa-full-update -Guido -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project