#7727 Handle DNSSEC KSK rollover
Opened 6 months ago by abbra. Modified 5 months ago

From Brian J. Atkisson of Red Hat IT:

In looking at
I checked our IdM server's default named.conf:

options {
dnssec-enable yes;
dnssec-validation yes;

Per https://www.icann.org/dns-resolvers-checking-current-trust-anchors (url is not accessible now):

"First check that DNSSEC validation is set in your configuration file. You should see a line in the options section that says either dnssec-validation auto; or dnssec-validation yes;.

If your configuration shows dnssec-validation yes;, you must change it to dnssec-validation auto;
and restart your server before taking the steps

Current URL for ICANN recommendations: https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

I took a look at /var/named/dynamic/managed-keys.bind, which does contain both 20326 and 19036 keys. Things look fine for the rollover event, although I'm wondering about servers built after the rollover event given 'dnssec-validation yes' instead of 'dnssec-validation auto'

From abbra:
The key itself comes via bind package.

We have 'managed-keys' entry in the IPA-generated named.conf via inclusion of the /etc/named.root.key, so we should be OK with the rollover since our managed-keys entry has 20326 key already.

The scope of this ticket, therefore, is to handle transitioning to dnssec-validation auto from dnssec-validation yes after verifying that 20326 key is available.

We might want to update to 'dnssec-validation auto' to make it prepared
for the next key rollover, I think.


This “auto” line enables automatic DNSSEC trust anchor configuration using the managed-keys feature. In this case, no manual key configuration is needed. There are three possible choices for the dnssec-validation option:
yes: DNSSEC validation is enabled, but a trust anchor must be manually configured. No validation will actually take place until you have manually configured at least one trusted key. This is the default.
no: DNSSEC validation is disabled, and recursive server will behave in the "old fashioned" way of performing insecure DNS lookups.
auto: DNSSEC validation is enabled, and a default trust anchor (included as part of BIND) for the DNS root zone is used.

I agree, it would be better to set auto here. I've changed milestone to 4.6 for backport to RHEL 7.

Metadata Update from @cheimes:
- Issue set to the milestone: FreeIPA 4.6.5

5 months ago

Login to comment on this ticket.