#3801 implemented initial support for DNSSEC in FreeIPA follong bind-dyndb-ldap short term design.
The first version depends on a single server in the infrastructure that would store and generate the DNSSEC signing keys. Work on moving to OpenDNSSEC v2 LDAP backend ([bind-dyndb-ldap long term design]) to have the keys stored in LDAP and distributed by new PKCS#11 interface (http://www.freeipa.org/page/V4/PKCS11_in_LDAP design).
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1115294 (Red Hat Enterprise Linux 7)
This work depends on PKCS#11 support in SSSD described in ticket #4322.
PKCS#11
Processing 4.2 backlog. This ticket was found as something that is not a priority for the nearest releases.
But as usual, please feel free to discuss your use cases or contribute patches, to make that happen sooner!
Moving to 4.4 so that we do not forget discussion this ticket. pspacek is afraid of having the current DNSSEC single point of failure situation.
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @mbasti: - Assignee reset - Issue close_status updated to: None
Metadata Update from @frenaud: - Issue set to the milestone: DNSSEC (was: FreeIPA 4.5 backlog)
Login to comment on this ticket.