Hello there,
With the current way DNSSec is managed, we can't (easily) recover from a dead dnssec master node for the following reasons: - zone keys keyring isn't automatically synced to the other nodes - we need to deactivate "dnssec master" from the node itself
There isn't any easy way to recover this situation, at least nothing is documented. References of the DNSSec master are present in the ldap, and probably some configurations, and since the keys are lost, it's pretty complicated and stressful to reset the state.
We should just promote a new master, and that's it
freeipa-4.8.1-1.fc30
The zone keys from SoftHSM are already wrapped and stored in LDAP in subtree cn=keys,cn=sec,cn=dns,$SUFFIX. The ipa-dnskeysyncd.service takes care of uploading the keys on the DNSSEC master and updating SoftHSM2 on all other servers. The KASP db is not backed up yet. ODS can create a backup of the sqlite database: sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil database backup --output /tmp/backup.sqlite. The database backup is small, e.g. 6kB compressed on my test system. It doesn't change often, only when keys are rotated or a zone is added/removed. We could store the database in LDAP, too.
cn=keys,cn=sec,cn=dns,$SUFFIX
ipa-dnskeysyncd.service
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil database backup --output /tmp/backup.sqlite
I forgot to mention that keys are usually rotate about every 14 days / two times a month.
Metadata Update from @frenaud: - Issue set to the milestone: DNSSEC
Login to comment on this ticket.