#3801 [RFE] Add support for DNSSEC
Closed: Fixed None Opened 6 years ago by mkosek.

bind-dyndb-ldap in Fedora 20 plans to introduce DNSSEC support. Add support to FreeIPA as well.

Related bind-dyndb-ldap ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Related bind-dyndb-ldap design documents:

Related discussion on freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2013-May/msg00177.html

Major challenges in FreeIPA will be a secure synchronization of DNSSEC keys which need to be available to all FreeIPA masters with DNS support. There also should be a possibility to rotate the keys.


3.4 development was shifted by one month, moving tickets to reflect reality better.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Moving unfinished November tickets to January.

As a workaround for bind-dyndb-ldap limitation described in ticket #128 we need to restart named after each ns-slapd restart.

Petr2 owns this effort.

DNSSEC is still far from completion, moving to April.

Reassigning as we discussed in person:

Please add attribute & respective option option for dnszone-mod and dnszone-add:

ipa dnszone-mod --dnssec=TRUE/FALSE

should change boolean attribute idnsSecInlineSigning in idnsZone object class. Thanks!

I have reserved OID 2.16.840.1.113730.3.8.5.18 for it.

I have found that we also need to remove following attributes from LDAP & CLI & WebUI. Following record types will be managed automatically by BIND in memory and never read/stored from/to database.

attributeTypes: (1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Please file a separate ticket for removing the options.

Accepting this for the framework changes.

Schema changes were moved to #4328.

Web UI part sent for review

/etc/named.conf in section options has to contain statement:

options {
    dnssec-enable yes;
};

I think that dnssec-validation yes; seems too much for now, I would enable it later when we have some experience with DNSSEC in FreeIPA.

Framework & schema changes are now in master:

  • 8b7daf6 dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone

Web UI part of idnsSecInlineSigning attribute, master:

  • 9c97bbd webui: add idnsSecInlineSigning option to DNS zone details facet

This feature is not ready to be fully supported in 4.0 GA. There are ongoing security related discussions on freeipa-devel that we do not want to rush.

I am thus moving the full support (mainly focused on secure signing key exchange between replicas) RFE to FreeIPA 4.1 release. FreeIPA 4.0 should release at least experimental support so that people can test this technology in their infrastructure - see RFE ticket #4408.

Reseting reviewers and patch posted for review because this is tracker for FreeIPA 4.1.

master:

  • 3be8ff6 DNSSEC: fix DS record validation
  • 155126b Tests: DNS dsrecord validation
  • d013019 DNS fix NS record coexistence validator
  • 2b3be21 Test: DNS NS validation
  • 7e76bba Fix DNS record rename test

ipa-4-1:

  • 7348832 DNSSEC: fix DS record validation
  • 2863fc9 Tests: DNS dsrecord validation
  • f605fe8 DNS fix NS record coexistence validator
  • c7dc1b5 Test: DNS NS validation
  • a327363 Fix DNS record rename test

One more thing:
/etc/named.conf has to contain line:

include "/etc/named.root.key";

at top level (i.e. besides "options"):

options {
...
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

bind package in Fedora includes this line in its default configuration file but IPA overwites the whole file without any inheritance so we need to add this line to the IPA template.

Ah, I can see that Fedora adds additional configuration:

options {
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

IPA has to follow.

This reminds me that IPA spec file should require following files:

  • /etc/named.iscdlv.key
  • /etc/named.root.key
  • /etc/named.rfc1912.zones
  • /var/named/dynamic
  • /var/named/data
  • /run/named

This should ensure that we will catch packaging changes in BIND package.

bind and bind-dyndb-ldap is not required by freeipa's specfile. DNS support is optional, should we really require these files?

Good point! We should add these files to planned ipa-server-dns package.

Replying to [comment:31 pspacek]:

One more thing:
...

master:

  • 97195eb Add missing attributes to named.conf
  • 7ad7002 Make named.conf template platform independent

ipa-4-1:

  • ec928b1 Add missing attributes to named.conf
  • bac2cc9 Make named.conf template platform independent

ipa-4-1:

  • f31f5f5 Add mask, unmask methods for service
  • 82961a0 DNSSEC: dependencies
  • 3f0440f DNSSEC: schema
  • 3c7bc2a DNSSEC: add ipapk11helper module
  • 52acc54 DNSSEC: DNS key synchronization daemon
  • abf4418 DNSSEC: opendnssec services
  • 9af49ff DNSSEC: platform paths and services
  • f01acf8 DNSSEC: validate forwarders
  • cc50112 DNSSEC: modify named service to support dnssec
  • 877fedf DNSSEC: installation
  • 4535324 DNSSEC: uninstallation
  • d254bcb DNSSEC: upgrading
  • 4ddc978 DNSSEC: ACI
  • dc5b3af DNSSEC: add ipa dnssec daemons
  • bcb1e91 DNSSEC: add files to backup
  • b84fc92 DNSSEC: change link to ipa page

ipa-4-1:

  • 98100fe DNSSEC: remove container_dnssec_keys

master:

  • 78018dd Add mask, unmask methods for service
  • c909690 DNSSEC: dependencies
  • 9184d9a DNSSEC: schema
  • bcce865 DNSSEC: add ipapk11helper module
  • eb54814 DNSSEC: DNS key synchronization daemon
  • 9101cfa DNSSEC: opendnssec services
  • 30bc3a5 DNSSEC: platform paths and services
  • ca030a0 DNSSEC: validate forwarders
  • 8f2f5df DNSSEC: modify named service to support dnssec
  • e798bad DNSSEC: installation
  • 21aef21 DNSSEC: uninstallation
  • d673ebe DNSSEC: upgrading
  • 5556b7f DNSSEC: ACI
  • 276e69d DNSSEC: add ipa dnssec daemons
  • 49547a5 DNSSEC: add files to backup
  • 1072503 DNSSEC: change link to ipa page
  • 2a4ba3d DNSSEC: remove container_dnssec_keys

Metadata Update from @mkosek:
- Issue assigned to pspacek
- Issue set to the milestone: FreeIPA 4.1

2 years ago

Login to comment on this ticket.

Metadata