#4657 DNSSEC improvements
Closed: Fixed None Opened 4 years ago by mbasti.

Subtasks:

  • reinicialize kasp.db if softhsm db changes and vice versa
  • review KASP template
  • configurable softhsm slot (currently we use slot 0)
  • check forwarders in dnsconfig-mod command (if this is technicaly possible)
  • remove DNSSEC master
  • reenable DNSSEC master
  • move DNSSEC master to another server
  • reinstall DNS - state variables should be stored only at first run
  • during forwarder checking (install) be more chatty in stdout (currently we are chatty only in log)
  • if softhsm-so-pin exists, use it to reinicialize tokens (discussion needed)
  • allow user to remove DNSSEC master replica either if it is not last DNSserver
  • move modules from ipapython/dnssec to ipaserver/dnssec (discussion needed)
  • DNSEC CI tests

More points:

  • automate DS record (in parent zone) detection to automatically call OpenDNSSEC's ds-seen command on behalf of user
  • generate new master key when a replica is removed
  • delete very old unused keys
  • code clean up (fix memory leaks, compiler warnings etc.)

master:

  • ac50000 Fix zone name to directory name conversion in BINDMgr.

ipa-4-1:

  • 4e42d17 Fix zone name to directory name conversion in BINDMgr.

It seems that FreeIPA<=3.3.5+bind-dyndb-ldap<6.0 created /var/named/dyndb-ldap/ipa/ directory owned by named:named with permissions set to rwx------ which prevents ipa-dnskeysyncd from working correctly.

I propose to line

add `%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/

to freeipa.spec so RPM will fix the problem automatically.

Nice side-effect is that rpm -qf will show that the directory is owned by freeipa-server.

master:

  • 42724a4 Add bind-dyndb-ldap working dir to IPA specfile

ipa-4-1:

  • a214431 Add bind-dyndb-ldap working dir to IPA specfile

Compiler warnings:

master:

  • 58737c7 Fix pk11helper module compiler warnings

ipa-4-1:

  • b902ec2 Fix pk11helper module compiler warnings

Got: [error] Error: Error at log in: 0xa0 when testing backup&restore after some combination of install / uninstall / install /backup / update / uninstall / install / restore / uninstall / install (don't remember exactly)

The rpm update in the middle was in ipa-4-1 branch aprox. -10, +2 commits around commit 1b5cd5b

2014-11-21T14:47:17Z DEBUG   [6/7]: creating replica keys
2014-11-21T14:47:17Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 306, in __setup_replica_keys
    p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
Error: Error at log in: 0xa0


2014-11-21T14:47:17Z DEBUG   [error] Error: Error at log in: 0xa0

2014-11-21T14:47:17Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 642, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 1300, in main
    dnskeysyncd.create_instance(api.env.host, api.env.realm)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 146, in create_instance
    self.start_creation()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 306, in __setup_replica_keys
    p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)

2014-11-21T14:47:17Z DEBUG The ipa-server-install command failed, exception: Error: Error at log in: 0xa0

Martin2 is the primary contact for this one.

Another improvement:

Fix reference counting in pkcs11 extension

master:

  • e6a575d Fix reference counting in pkcs11 extension

ipa-4-1:

  • 2f4ed3c Fix reference counting in pkcs11 extension

Next SoftHSMv2 rebase will require change to PKCS#11 constants to reflect:
https://github.com/opendnssec/SoftHSMv2/pull/110

4.1.4 was released, moving to new milestone

master:

  • 1216da8 DNSSEC: Do not log into files

ipa-4-1:

  • e27b9d1 DNSSEC: Do not log into files

master:

  • ebd9146 DNSSEC: FIX Do not re-create kasp.db if already exists

ipa-4-1:

  • d7cfc11 DNSSEC: FIX Do not re-create kasp.db if already exists

master:

  • 96f6d6c DNSSEC: update OpenDNSSEC KASP configuration

ipa-4-1:

  • 9b7fe37 DNSSEC: update OpenDNSSEC KASP configuration

master:

  • 9aa6124 DNSSEC: Improve global forwarders validation
  • f8c8c36 DNSSEC: validate forward zone forwarders

ipa-4-1:

  • e8f3956 DNSSEC: Improve global forwarders validation
  • 9a90ef2 DNSSEC: validate forward zone forwarders

master:

  • d846804 DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.

ipa-4-1:

  • c5e6f97 DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.

master:

  • f763b13 DNSSEC: fix traceback during shutdown phase

ipa-4-1:

  • a5d8d79 DNSSEC: fix traceback during shutdown phase

master:

  • 33bc9e7 Hide traceback in ipa-dnskeysyncd if kinit failed.

ipa-4-1:

  • 6f9d16f Hide traceback in ipa-dnskeysyncd if kinit failed.

master:

  • 9b6f1a4 Bump minimal BIND version for CentOS.

ipa-4-1:

  • bb396d4 Bump minimal BIND version for CentOS.

ipa-4-1:

  • 17fcdc3 DNSSEC: Detect invalid master keys in LDAP.
  • 8fc6fa7 DNSSEC: Accept ipa-ods-exporter commands from command line.
  • fd5ace8 DNSSEC: ipa-ods-exporter: move zone synchronization into separate function
  • 70ee45c DNSSEC: log ipa-ods-exporter file lock operations into debug log
  • 4840b50 DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.
  • a983140 DNSSEC: Improve ipa-ods-exporter log messages with key metadata.

master:

  • c37e83f DNSSEC: Detect invalid master keys in LDAP.
  • 68d0f64 DNSSEC: Accept ipa-ods-exporter commands from command line.
  • fd23406 DNSSEC: ipa-ods-exporter: move zone synchronization into separate function
  • 6a8fb04 DNSSEC: log ipa-ods-exporter file lock operations into debug log
  • 579d305 DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.
  • f9cbdd4 DNSSEC: Improve ipa-ods-exporter log messages with key metadata.

master:

  • fe6819e DNSSEC: Store time & date key metadata in UTC.

ipa-4-1:

  • 840bf5f DNSSEC: Store time & date key metadata in UTC.

Majority of work was finished and fixed upstream, we can close this ticket now. I would suggest opening separate tickets for any problems we find in the future.

Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.1.5

2 years ago

Login to comment on this ticket.

Metadata