Re: [Freeipa-users] DNSSEC KSK rollover
On 29.2.2016 11:54, Peter Fern wrote: > On 02/29/2016 21:22, Petr Spacek wrote: >> On 28.2.2016 14:51, Peter Fern wrote: >>> Hi all, >>> A new KSK has been auto-generated, and it's transitioned through >>> 'published' and is now sitting in the 'ready' state, but does not appear >>> as a DNSKEY record on the zone. I can see that ods-enforcerd has picked >>> up the state change correctly and logged a DSChanged event with the >>> correct output for the new DNSKEY record, and it appears as expected in >>> localhsm, but is not published on the zone. >>> >>> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with >>> the rollover? >> Hi, >> >> I would recommend you to wait until fix >> https://fedorahosted.org/freeipa/ticket/5334 >> is released in 4.3.1 or so. >> >> After that you can use procedure described on page >> http://www.freeipa.org/page/Howto/DNSSEC >> to run ds-seen command. >> >> I hope this helps. > > That ticket was reported by me ;-) > > The issue here is that the new KSK did not appear as a DNSKEY record, so > running ds-seen would have been a bad idea, since the zone would be > entirely invalid if the old key was rotated out before the new key was > published, and the new DS record would be invalid without the > corresponding KSK anyway. This should be fixed in 4.3.1 too. > I did also have some more rotated keys get stuck per #5334, and had > cleared them prior to this issue, but I was having trouble getting the > zone resigned correctly, and I was hoping to roll all the keys to deal > with that. In the end, I had to un-sign the domain and re-sign it to > recover. > > I was wondering if there were possibly some known issues/tricks with KSK > rollover, but wasn't certain if my #5334 issues may have thrown a > spanner in the works at some key point in the lifecycle. I've got some > more KSKs due to roll in a couple of months, so hopefully I can get > 4.3.1 deployed before then, and I'll be able to see if the process goes > smoothly without the extraneous issues. > > I've also discovered the replication ACI issues in 4.3.0 (#5575 and > friends), which are causing me some grief. Is there a feel for how > close we are to a 4.3.1 release? We intent to release it in week or two (if everything goes as planned). Stay tuned. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC KSK rollover
On 02/29/2016 21:22, Petr Spacek wrote: > On 28.2.2016 14:51, Peter Fern wrote: >> Hi all, >> A new KSK has been auto-generated, and it's transitioned through >> 'published' and is now sitting in the 'ready' state, but does not appear >> as a DNSKEY record on the zone. I can see that ods-enforcerd has picked >> up the state change correctly and logged a DSChanged event with the >> correct output for the new DNSKEY record, and it appears as expected in >> localhsm, but is not published on the zone. >> >> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with >> the rollover? > Hi, > > I would recommend you to wait until fix > https://fedorahosted.org/freeipa/ticket/5334 > is released in 4.3.1 or so. > > After that you can use procedure described on page > http://www.freeipa.org/page/Howto/DNSSEC > to run ds-seen command. > > I hope this helps. That ticket was reported by me ;-) The issue here is that the new KSK did not appear as a DNSKEY record, so running ds-seen would have been a bad idea, since the zone would be entirely invalid if the old key was rotated out before the new key was published, and the new DS record would be invalid without the corresponding KSK anyway. I did also have some more rotated keys get stuck per #5334, and had cleared them prior to this issue, but I was having trouble getting the zone resigned correctly, and I was hoping to roll all the keys to deal with that. In the end, I had to un-sign the domain and re-sign it to recover. I was wondering if there were possibly some known issues/tricks with KSK rollover, but wasn't certain if my #5334 issues may have thrown a spanner in the works at some key point in the lifecycle. I've got some more KSKs due to roll in a couple of months, so hopefully I can get 4.3.1 deployed before then, and I'll be able to see if the process goes smoothly without the extraneous issues. I've also discovered the replication ACI issues in 4.3.0 (#5575 and friends), which are causing me some grief. Is there a feel for how close we are to a 4.3.1 release? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC KSK rollover
On 28.2.2016 14:51, Peter Fern wrote: > Hi all, > A new KSK has been auto-generated, and it's transitioned through > 'published' and is now sitting in the 'ready' state, but does not appear > as a DNSKEY record on the zone. I can see that ods-enforcerd has picked > up the state change correctly and logged a DSChanged event with the > correct output for the new DNSKEY record, and it appears as expected in > localhsm, but is not published on the zone. > > Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with > the rollover? Hi, I would recommend you to wait until fix https://fedorahosted.org/freeipa/ticket/5334 is released in 4.3.1 or so. After that you can use procedure described on page http://www.freeipa.org/page/Howto/DNSSEC to run ds-seen command. I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
