On 3/18/21 5:20 PM, Harry G. Coin via FreeIPA-users wrote:
Notice the two pages regarding DNSSEC (the 'howto' and the
'troubleshooting') discuss a requirement to give a command ( ... ds-seen
... ), requiring many arguments. The docs call for this command to
occur for each domain after the DS key has been uploaded to the parent
domain, and required for key rollover operations.
'To-do' documentation proposes to automate that along with many other
items-- all of which then is marked 'done'.
I notice the 'drill' command to verify proper DNSSEC operation gives [T]
/ trusted results without having given the command that includes 'ds-seen'.
1) Since whether the parent domain has a proper DS key is something
freeipa could determine without needing to be goaded by the user, it's
reasonable to suppose the automation of this has been accomplished and
so the requirement to given the ds-seen command mentioned in the
documentation obsolete? Is it, and if so and ought it be marked as such?
Hi,
as far as I know, this step hasn't been automated and it is still
needed. As the doc state, it is required to enable key rotation.
You can refer to
https://wiki.opendnssec.org/display/DOCS/Key+States#KeyStates-Publish%20forreference
to understand the key states. The command moves the KSK from ready to
active and sets a date for key retirement.
It doesn't have any impact on the signed records (they are already
available in the zone), but the zone remains unsecure until the records
are uploaded to the parent zone. More information can be found in
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#uploading-information-to-the-parent-zone
flo
2) If it doesn't already, in the case where freeipa manages domain y.z
and dnssec is enabled for domain x.y.z, freeipa ought load and
update/maintain the ds key for x.y.z into y.z automatically.
Thanks
Harry
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
