bind-dyndb-ldap 5.0 supports DNSSEC inline signing ([upstream documentation], https://www.redhat.com/archives/freeipa-interest/2014-June/msg00003.html announce).
Ticket #3801 aims at full support of DNSSEC including the zone key synchronization between FreeIPA masters/bind-dyndb-ldap's. As #3801 is targeted for further release, add basic/experimental support to 4.0, with manual configuration.
Scope in 4.0:
dnssec-enable
yes
I would like to see following warning when --dnssec option is used for a DNS zone:
Warning! DNSSEC support is experimental. You have to manually generate DNSSEC signing keys and distribute them to all IPA DNS servers. # In the following text, please replace %s with zone name without trailing period $ cd "/var/named/dyndb-ldap/ipa/%s/keys" $ dnssec-keygen -3 -b 2048 -f KSK "%s" $ dnssec-keygen -3 -b 2048 "%s" # please distribute all keys in this directory to all IPA DNS servers $ chown named: * $ rndc sign "%s"
Wondering about it a bit more... It would be nice to print warning from comment #3 only when --dnssec=true is used and print following text for --dnssec=false:
--dnssec=true
--dnssec=false
Warning! DNSSEC support is experimental. If you encounter any problems please report them and restart 'named' service on affected IPA server.
master:
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.0 GA
Login to comment on this ticket.