#4417 Add DNSSEC attributes to LDAP schema
Closed: Fixed None Opened 5 years ago by pspacek.

Please add new attributes for DNSSEC metadata:

attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7), RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8), RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15), RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'Pointer to object with key material' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4' )

And new object:

objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4' )

Discussion about LDAP schema is hapenning on freeipa-devel mailing list:
https://www.redhat.com/archives/freeipa-devel/2014-June/msg00297.html

New schema is divided to three parts:

  • prefix "ipk11" - Generic PKCS#11 LDAP schema not tied to IPA
  • prefix "idnsSec" - IPA DNS
  • prefix "ipa" - IPA-specific things which can be used outside IPA DNS

Honza and me agreed on better naming, please rename ipaKeyRef -> ipaSecretKeyRef. The same applies to the object class.

Thank you!

ipa-4-1:

  • f31f5f5 Add mask, unmask methods for service
  • 82961a0 DNSSEC: dependencies
  • 3f0440f DNSSEC: schema
  • 3c7bc2a DNSSEC: add ipapk11helper module
  • 52acc54 DNSSEC: DNS key synchronization daemon
  • abf4418 DNSSEC: opendnssec services
  • 9af49ff DNSSEC: platform paths and services
  • f01acf8 DNSSEC: validate forwarders
  • cc50112 DNSSEC: modify named service to support dnssec
  • 877fedf DNSSEC: installation
  • 4535324 DNSSEC: uninstallation
  • d254bcb DNSSEC: upgrading
  • 4ddc978 DNSSEC: ACI
  • dc5b3af DNSSEC: add ipa dnssec daemons
  • bcb1e91 DNSSEC: add files to backup
  • b84fc92 DNSSEC: change link to ipa page

master:

  • 78018dd Add mask, unmask methods for service
  • c909690 DNSSEC: dependencies
  • 9184d9a DNSSEC: schema
  • bcce865 DNSSEC: add ipapk11helper module
  • eb54814 DNSSEC: DNS key synchronization daemon
  • 9101cfa DNSSEC: opendnssec services
  • 30bc3a5 DNSSEC: platform paths and services
  • ca030a0 DNSSEC: validate forwarders
  • 8f2f5df DNSSEC: modify named service to support dnssec
  • e798bad DNSSEC: installation
  • 21aef21 DNSSEC: uninstallation
  • d673ebe DNSSEC: upgrading
  • 5556b7f DNSSEC: ACI
  • 276e69d DNSSEC: add ipa dnssec daemons
  • 49547a5 DNSSEC: add files to backup
  • 1072503 DNSSEC: change link to ipa page
  • 2a4ba3d DNSSEC: remove container_dnssec_keys

Metadata Update from @pspacek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.1

3 years ago

Login to comment on this ticket.

Metadata