bind-dyndb-ldap in Fedora 20 plans to introduce DNSSEC support. Add support to FreeIPA as well.
Related bind-dyndb-ldap ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/56
Related bind-dyndb-ldap design documents:
Related discussion on freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2013-May/msg00177.html
Major challenges in FreeIPA will be a secure synchronization of DNSSEC keys which need to be available to all FreeIPA masters with DNS support. There also should be a possibility to rotate the keys.
3.4 development was shifted by one month, moving tickets to reflect reality better.
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
Moving unfinished November tickets to January.
As a workaround for bind-dyndb-ldap limitation described in ticket #128 we need to restart named after each ns-slapd restart.
named
ns-slapd
Petr2 owns this effort.
DNSSEC is still far from completion, moving to April.
Reassigning as we discussed in person:
Please add attribute & respective option option for dnszone-mod and dnszone-add:
dnszone-mod
dnszone-add
ipa dnszone-mod --dnssec=TRUE/FALSE
should change boolean attribute idnsSecInlineSigning in idnsZone object class. Thanks!
idnsSecInlineSigning
idnsZone
I have reserved OID 2.16.840.1.113730.3.8.5.18 for it.
2.16.840.1.113730.3.8.5.18
I have found that we also need to remove following attributes from LDAP & CLI & WebUI. Following record types will be managed automatically by BIND in memory and never read/stored from/to database.
attributeTypes: (1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
Please file a separate ticket for removing the options.
Accepting this for the framework changes.
Schema changes were moved to #4328.
Web UI part sent for review
/etc/named.conf in section options has to contain statement:
/etc/named.conf
options
options { dnssec-enable yes; };
I think that dnssec-validation yes; seems too much for now, I would enable it later when we have some experience with DNSSEC in FreeIPA.
dnssec-validation yes;
Framework & schema changes are now in master:
Web UI part of idnsSecInlineSigning attribute, master:
This feature is not ready to be fully supported in 4.0 GA. There are ongoing security related discussions on freeipa-devel that we do not want to rush.
I am thus moving the full support (mainly focused on secure signing key exchange between replicas) RFE to FreeIPA 4.1 release. FreeIPA 4.0 should release at least experimental support so that people can test this technology in their infrastructure - see RFE ticket #4408.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1115294
Reseting reviewers and patch posted for review because this is tracker for FreeIPA 4.1.
master:
ipa-4-1:
One more thing: /etc/named.conf has to contain line:
include "/etc/named.root.key";
at top level (i.e. besides "options"):
options { ... }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
bind package in Fedora includes this line in its default configuration file but IPA overwites the whole file without any inheritance so we need to add this line to the IPA template.
bind
Ah, I can see that Fedora adds additional configuration:
options { /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; };
IPA has to follow.
This reminds me that IPA spec file should require following files:
This should ensure that we will catch packaging changes in BIND package.
bind and bind-dyndb-ldap is not required by freeipa's specfile. DNS support is optional, should we really require these files?
Good point! We should add these files to planned ipa-server-dns package.
Replying to [comment:31 pspacek]:
One more thing: ...
Metadata Update from @mkosek: - Issue assigned to pspacek - Issue set to the milestone: FreeIPA 4.1
Log in to comment on this ticket.