#4328 Update DNSSEC attributes in LDAP schema (experimental phase)
Closed: Fixed None Opened 9 years ago by pspacek.

I have found that we also need to remove following attributes from LDAP & CLI & WebUI. Following record types will be managed automatically by BIND in memory and never read/stored from/to database.

attributeTypes: (1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

We need to add few new attributes:

attributetype ( 1.3.6.1.4.1.2428.20.1.51
       NAME 'nSEC3PARAMRecord'
       DESC 'RFC 5155'
       EQUALITY caseIgnoreIA5Match
       SUBSTR caseIgnoreIA5SubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
       SINGLE-VALUE )

attributetype ( 2.16.840.1.113730.3.8.5.18
       NAME 'idnsSecInlineSigning'
       DESC 'DNSSEC in-line signing'
       EQUALITY booleanMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
       SINGLE-VALUE )

Both attributes should be added to idnsZone objectClass.

Hmm, I just found that [5155 section 7.3]]([http://tools.ietf.org/html/rfc5155#section-7.3|RFC) allows multiple NSEC3PARAM records...

It is not supported by bind-dyndb-ldap now so we can stay with SINGLE-VALUE nSEC3PARAMRecord but framework code should be prepared to eventual change in the future. This will be necessary so old replicas don't fail when upgraded schema is available.

It would be nice if we could get DLV record added before 4.0 is released:

attributetype ( 1.3.6.1.4.1.2428.20.1.32769
       NAME 'DLVRecord'
       DESC 'RFC 4431: DNSSEC Lookaside Validation'
       EQUALITY caseIgnoreIA5Match
       SUBSTR caseIgnoreIA5SubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26

It will be handy even without user interface, it can be used as manual workaround for various DNSSEC misconfigurations/political problems.

Please add new attributes for DNSSEC metadata:

attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7), RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8), RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15), RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4' )
attributetypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'Pointer to object with key material' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4' )

And new object:

objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4' )

No user interface is required.

master:

  • 48865ae DNSSEC: remove unsuported records
  • 5b95be8 DNSSEC: added NSEC3PARAM record type
  • 4d90d3d DNSSEC: webui update DNSSEC attributes
  • cbc6445 Tests: remove unused records from tests
  • 4c88fdd Tests: tests for NSEC3PARAM records

patches for other attributes should follow

DLV

master:

  • 7cdc417 DNSSEC: DLVRecord type added
  • ee6e634 DNSSEC: Test: DLV record
  • 2229e89 Digest part in DLV/DS records allows only heaxadecimal characters
  • 0eef379 DNSSEC: WebUI add DLV record type

TLSA

Please make sure that TLSA records are supported:

attributetype ( 1.3.6.1.4.1.2428.20.1.52 NAME 'TLSARecord'
        DESC 'DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

This will require CLI & WebUI change.

Let me add that this new records should be added to idnsRecord object class.

Adding to list of tickets required for 4.0 release.

TLSA record

master:

  • 12cb315 DNSSEC: add TLSA record type
  • 8e911fc DNSSEC: WebUI: add TLSA

All changes except comment:8 were done in FreeIPA 4.0. This is enough for experimental DNSSEC support (#4408). Changes from comment:8 were moved to new ticket #4417.

related fix in #4413 :

master:

closing, the rest will be addressed in ticket #4417

Metadata Update from @pspacek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0 GA

7 years ago

Login to comment on this ticket.

Metadata