On 12.8.2016 13:58, Petr Spacek wrote: > On 12.8.2016 13:26, Guido Schmitz wrote: >> Hi! >> >> I want to migrate my existing DNS setup to FreeIPA. As this existing >> setup already uses DNSSEC, I want to import my current DNSSEC keys into >> FreeIPA to have a smooth transition over to IPA's DNS. (The authorative >> DNS servers for the zones are set up as slaves that get the zone via >> AXFR and can seamlessly switch to AXFR from IPA.) >> >> In my test migration, I have created the DNS zone I want to migrate in >> FreeIPA and have enabled DNSSEC. >> >> As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes >> care of key management and key rollover [1]. Hence, I have imported my >> existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2] >> and OpenDNSSEC correctly shows the imported keys along with the DNSSEC >> keys generated by IPA. >> >> I thought that ipa-dnskeysyncd would take care of syncing the keys from >> OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the >> keys initially created by IPA (while enabling DNSSEC for this zone) >> exist and hence, only these keys are used to sign the zone. >> >> Do I need to manually insert my existing DNSSEC keys into the LDAP or >> take some other additional steps? > > Hello! > > In theory ipa-dnskeysyncd should take care of it. The important step is to > ensure that all the imported keys have CKA_EXTRACTABLE PKCS#11 flag (in > SoftHSM) set to TRUE otherwise the synchronization will not work. > > Please note that we never tested this so following text is just untested > theory: > > Start with usual DNSSEC debugging for FreeIPA: > http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work > > Besides all other things, I would double-check that (on FreeIPA DNSSEC key > master server): > 1) ods-ksmutil key list --verbose > shows the imported keys in state active or publish > > 2) Command > python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py > shows that keys are CKA_EXTRACTABLE. > > 3) If all of the above seems to be okay, check logs for ipa-dnskeysyncd and > ipa-ods-exporter services: > journalctl -u ipa-dnskeysyncd -u ipa-ods-exporter > > ipa-ods-exporter is the piece doing dirty export work. > > I hope it helps.
Please note that on Fedora 24 you might be hitting this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1366640 > Petr^2 Spacek > > >> >> Cheers, >> -Guido >> >> >> >> [1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation >> [2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
