Notice the two pages regarding DNSSEC (the 'howto' and the 'troubleshooting') discuss a requirement to give a command ( ... ds-seen ... ), requiring many arguments. The docs call for this command to occur for each domain after the DS key has been uploaded to the parent domain, and required for key rollover operations.
'To-do' documentation proposes to automate that along with many other items-- all of which then is marked 'done'. I notice the 'drill' command to verify proper DNSSEC operation gives [T] / trusted results without having given the command that includes 'ds-seen'. 1) Since whether the parent domain has a proper DS key is something freeipa could determine without needing to be goaded by the user, it's reasonable to suppose the automation of this has been accomplished and so the requirement to given the ds-seen command mentioned in the documentation obsolete? Is it, and if so and ought it be marked as such? 2) If it doesn't already, in the case where freeipa manages domain y.z and dnssec is enabled for domain x.y.z, freeipa ought load and update/maintain the ds key for x.y.z into y.z automatically. Thanks Harry _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
