Bug 1664718

Summary: [RFE] IdM DNSSEC support
Product: Red Hat Enterprise Linux 8 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: lmcgarry
Priority: medium    
Version: 8.0CC: abokovoy, fhanzelk, igkioka, ksiddiqu, lkuprova, lmanasko, lmcgarry, mvarun, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature, TechPreview
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.7.1-7.module+el8+2555+b334d87b Doc Type: Technology Preview
Doc Text:
.DNSSEC available as Technology Preview in IdM Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated. Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents: * link:https://datatracker.ietf.org/doc/html/rfc6781[DNSSEC Operational Practices, Version 2] * link:http://dx.doi.org/10.6028/NIST.SP.800-81-2[Secure Domain Name System (DNS) Deployment Guide] * link:https://datatracker.ietf.org/doc/html/rfc7583[DNSSEC Key Rollover Timing Considerations] Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
Story Points: ---
Clone Of: 1115294 Environment:
Last Closed: 2019-06-14 02:05:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1115294, 2084180    
Bug Blocks:    

Description Martin Kosek 2019-01-09 13:52:01 UTC
+++ This bug was initially created as a clone of Bug #1115294 +++
This bug is created to track availability of IdM DNSSEC feature introduced in RHEL-7, in Bug 1115294 and denote that it is still being offered as TechPreview.

Upstream Resources:
* https://pagure.io/freeipa/issue/3801
* https://www.freeipa.org/page/V4/DNSSEC_Support
* https://docs.pagure.org/bind-dyndb-ldap/BIND9/Design/DNSSEC.html

RHEL Resources:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs