#4408 [RFE] Add experimental support for DNSSEC
Closed: Fixed None Opened 8 years ago by mkosek.

bind-dyndb-ldap 5.0 supports DNSSEC inline signing ([upstream documentation], https://www.redhat.com/archives/freeipa-interest/2014-June/msg00003.html announce).

Ticket #3801 aims at full support of DNSSEC including the zone key synchronization between FreeIPA masters/bind-dyndb-ldap's. As #3801 is targeted for further release, add basic/experimental support to 4.0, with manual configuration.

Scope in 4.0:

  • Documentation with simple steps how to manually generate DNSSEC keys to enable the signing
  • DNSSEC-enable switch for DNS zones
  • Update to named.conf template (+upgrade) which will set dnssec-enable to yes. This is benign for zones without DNSSEC enabled so it can be a default.

I would like to see following warning when --dnssec option is used for a DNS zone:

Warning! DNSSEC support is experimental.
You have to manually generate DNSSEC signing keys and distribute them to all IPA DNS servers.
# In the following text, please replace %s with zone name without trailing period
$ cd "/var/named/dyndb-ldap/ipa/%s/keys"
$ dnssec-keygen -3 -b 2048 -f KSK "%s"
$ dnssec-keygen -3 -b 2048 "%s"
# please distribute all keys in this directory to all IPA DNS servers
$ chown named: *
$ rndc sign "%s"

Wondering about it a bit more... It would be nice to print warning from comment #3 only when --dnssec=true is used and print following text for --dnssec=false:

Warning! DNSSEC support is experimental.
If you encounter any problems please report them and restart 'named' service on affected IPA server.


  • 5c2ddaf Allow to add non string values to named conf
  • 3b310d6 DNSSEC: Add experimental support for DNSSEC



  • 7022459 Add DNSSEC experimental support warning message

Metadata Update from @mkosek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0 GA

5 years ago

Login to comment on this ticket.