This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3801 bind-dyndb-ldap in Fedora 20 plans to introduce DNSSEC support. Add support to FreeIPA as well. Related bind-dyndb-ldap ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/56 Related bind-dyndb-ldap design documents: * https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC * https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/RBTDB Related discussion on freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2013-May/msg00177.html Major challenges in FreeIPA will be a secure synchronization of DNSSEC keys which need to be available to all FreeIPA masters with DNS support. There also should be a possibility to rotate the keys.
Can you please close this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=829395
I am not sure I want to do that. DNSSEC support in IPA has different scope that DNSSEC support in bind-dyndb-ldap component. It also needs to publish proper interface + secure key exchange for multi-master environment.
I'm adding DS bugs which hammers performance in cases where SyncRepl is used. (SyncRepl is a requirement for bind-dyndb-ldap version which supports DNSSEC.)
And also we need SyncRepl support itself.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4462
Initial upstream support (#3801) was fixed upstream, it will be part of FreeIPA 4.1. See details in https://fedorahosted.org/freeipa/ticket/3801
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4657
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4658
Improvements/fixes are being applied upstream, see https://fedorahosted.org/freeipa/ticket/4657 for details.
Ticket #4658 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/82c3c2b242c3f2b8113c2021cf4d17cab54c2a86 https://fedorahosted.org/freeipa/changeset/e28eb13907053ca9d49e4bf66cb32820f1a2ef1d ipa-4-1: https://fedorahosted.org/freeipa/changeset/814479a5678741f106283b61666e4bd093852fa7 https://fedorahosted.org/freeipa/changeset/51795254b2384a4b12908804b53c3da56e70f946 Missed from 4657: master: https://fedorahosted.org/freeipa/changeset/42724a4b22f9c7025254c875e9f8fcba17f8b9bf ipa-4-1: https://fedorahosted.org/freeipa/changeset/a21443168e6e23e6f0485a2d71861e6e8fead67c
Adding dependencies client side: These changes on clients make the feature actually useful. IMHO we should consider implementing https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver in RHEL too.
Compiler warnings fixed upstream master: https://fedorahosted.org/freeipa/changeset/58737c7791b44d9d7cd011d3385bf66ea24d9830 ipa-4-1: https://fedorahosted.org/freeipa/changeset/b902ec294387eef29d07ab2ccff9ff17625aaa9c
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4933
Related changes: master: https://fedorahosted.org/freeipa/changeset/7b6bee030dac08807f254fdf58ba867c36cab23d https://fedorahosted.org/freeipa/changeset/26d6c6fbbbd6d024d82b1ab515d300e6113d2c34 ipa-4-1: https://fedorahosted.org/freeipa/changeset]/41ca3fb499f42c740b183865acad2007e9916b48
master: https://fedorahosted.org/freeipa/changeset/1216da8b9f2100cacebbeb8fe2dd91e22b954ba7 ipa-4-1: https://fedorahosted.org/freeipa/changeset/e27b9d18cee86b7634a0ec23042985c23096098e
master: https://fedorahosted.org/freeipa/changeset/ebd91461132d2aa7d5166d03ccfe7b0d49df2c8a ipa-4-1: https://fedorahosted.org/freeipa/changeset/d7cfc1107bcd63eaa4c5282672c088dcbd1ebf9b
master: https://fedorahosted.org/freeipa/changeset/96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5 ipa-4-1: https://fedorahosted.org/freeipa/changeset/9b7fe37c9d3a8a11c3485c73fd67f90298e793c5
master: https://fedorahosted.org/freeipa/changeset/9aa6124b39267148c4c1b9a8ee4209fb859b9c42 https://fedorahosted.org/freeipa/changeset/f8c8c360f1957a39ce98df61752abbfa1df9864b ipa-4-1: https://fedorahosted.org/freeipa/changeset/e8f39566eb8bf73ac907f7db74fbc8fc78ce9e12 https://fedorahosted.org/freeipa/changeset/9a90ef2982573db216fac1c23406aa70bc4f32e4
master: https://fedorahosted.org/freeipa/changeset/d84680473b079ee3e568465bd04029d2a5f1f9c3 ipa-4-1: https://fedorahosted.org/freeipa/changeset/c5e6f97535540287065ce1f244883b5582841ba4
master: https://fedorahosted.org/freeipa/changeset/f763b137ee1eee228f53b456b8245b1499185ef7 ipa-4-1: https://fedorahosted.org/freeipa/changeset/a5d8d79f76ce39817e16a64fe937c9bb34aa5d6a
Changes for bug 1229430 master: https://fedorahosted.org/freeipa/changeset/33bc9e7faca55497e00a3f6c08f4bff7262e290c ipa-4-1: https://fedorahosted.org/freeipa/changeset/6f9d16fd0014427db223fe82f021b12f4db2fe37
master: https://fedorahosted.org/freeipa/changeset/9b6f1a4f9f7718819105da10a4ab20e66fe578b5 ipa-4-1: https://fedorahosted.org/freeipa/changeset/bb396d4e83d629b0e89b59a7fd04544f8db9c984
ipa-4-1: https://fedorahosted.org/freeipa/changeset/17fcdc3b2924567735a7efac47599b00fc0c8844 https://fedorahosted.org/freeipa/changeset/8fc6fa7b72270a2e69894530f06727492e412cfe https://fedorahosted.org/freeipa/changeset/fd5ace8a00e490d2d5d960efc895c56d4e5aaaa4 https://fedorahosted.org/freeipa/changeset/70ee45cc25306d34ccc2011529b61414b8a4ac3f https://fedorahosted.org/freeipa/changeset/4840b507b8abfb1b0de27db4348902b6c74d2d86 https://fedorahosted.org/freeipa/changeset/a9831406bf0d205ac431aadc32b7ef03f74a2bfc master: https://fedorahosted.org/freeipa/changeset/c37e83f4b3c19df305648bab9a12e81956c8e232 https://fedorahosted.org/freeipa/changeset/68d0f641babb28d6b1d486aca7a113e305521d45 https://fedorahosted.org/freeipa/changeset/fd2340649fb8888d946d7e17e4711e802cbbd239 https://fedorahosted.org/freeipa/changeset/6a8fb04460a127dcf03d531c4e3956016df91a3e https://fedorahosted.org/freeipa/changeset/579d30571ba15b9b62b32472ce5f04a7c561ee0d https://fedorahosted.org/freeipa/changeset/f9cbdd4915d13cd6e20fe7631d3c95c1352860f9
master: https://fedorahosted.org/freeipa/changeset/fe6819eb9d7d9f84616daadb5f07072a3dfa02b1 ipa-4-1: https://fedorahosted.org/freeipa/changeset/840bf5f41a532252db329cbdab0baf544f2448b2
FreeIPA ticket 4462 will not be part of this feature, this part was not done upstream.
The intended functionality is finished upstream, the feature is now maintenance mode. I am thus moving this RFE to POST.
Here is more descriptive text for release notes.
Verified. IPA/bind* rpm version: ====================== [root@dhcp207-229 ~]# rpm -q ipa-server bind bind-pkcs11 bind-dyndb-ldap opendnssec ipa-server-4.2.0-11.el7.x86_64 bind-9.9.4-29.el7.x86_64 bind-pkcs11-9.9.4-29.el7.x86_64 bind-dyndb-ldap-8.0-1.el7.x86_64 opendnssec-1.4.7-3.el7.x86_64 [root@dhcp207-229 ~]# Done verification of this RFE by execution of following test cases. ------------------------------------------------------------------- 1. Installation of DNSSEC component with a lot of combinations with forwarders(DNSSEC enabled/disabled, DNS component not installed etc), installation of dnssec component after upgrade to RHEL-7.2 . 2. Migration of DNSSEC component to another IPA replica . 3. DNSzone/DNSrecord signing with verification of dnssec chain of trust, enabling/disabling of signing on dnszone . 4. DNSForward zone addition where DNSSEC enabled/disabled.
I've added following link to the doc text: DNSSEC Key Rollover Timing Considerations: http://tools.ietf.org/html/rfc7583
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html