Hi, to enable DNSSEC, the following command has to be run on the IPA server that will be the DNSSEC key master: # ipa-dns-install --dnssec-master [other options]
You can find more information here: https://www.freeipa.org/page/Howto/DNSSEC HTH, flo On Sun, Oct 2, 2022 at 8:09 PM Eric Ashley via FreeIPA-users < [email protected]> wrote: > Greetings all, > I'm running the following FreeIPA: > Installed Packages > freeipa-client.x86_64 4.9.10-4.fc36 @updates > freeipa-client-common.noarch 4.9.10-4.fc36 @updates > freeipa-common.noarch 4.9.10-4.fc36 @updates > freeipa-healthcheck.noarch 0.11-2.fc36 @updates > freeipa-healthcheck-core.noarch 0.11-2.fc36 @updates > freeipa-selinux.noarch 4.9.10-4.fc36 @updates > freeipa-server.x86_64 4.9.10-4.fc36 @updates > freeipa-server-common.noarch 4.9.10-4.fc36 @updates > freeipa-server-dns.noarch 4.9.10-4.fc36 @updates > libipa_hbac.x86_64 2.7.4-1.fc36 @updates > python3-ipaclient.noarch 4.9.10-4.fc36 @updates > python3-ipalib.noarch 4.9.10-4.fc36 @updates > python3-ipaserver.noarch 4.9.10-4.fc36 @updates > python3-libipa_hbac.x86_64 2.7.4-1.fc36 @updates > sssd-ipa.x86_64 2.7.4-1.fc36 @updates > > My other internal DNS server is 9.16.33-1.fc36 running on the same OS > revision. Both my FreeIPA subdomain and the subdomain served by the other > Bind 9 instance are serving subdomains of my issued domain name but are > hidden. My public DNS (also Bind9, but on Debian) is in my DMZ and > accessible via local LAN links to the all FreeIPA clients. My publicly > accessible hosts are not FreeIPA clients and don't lookup internal PTR > records or need any integration with FreeIPA. If something really requires > the DS records for the subdomains to be available, I could create a view on > the public server that serves that data, including the subdomain authority > delegation. I'd rather not take this step unless it's really a necessity. > > I don't have any FreeIPA secondary servers at present since I can't see a > point in having 2 copies of the same server running as VMs on the same host > machine. As I lack another machine with sufficient power to run FreeIPA > server, I just backup regularly. Therefore, the packages that manage a > fleet of servers are unnecessary overhead, since I have just 1. > > ipa dnszone-show returns the following as the first line of output, > followed by the other settings looking as expected: > ipa: WARNING: No DNSSEC key master is installed. DNSSEC zone signing will > not work until the DNSSEC key master is installed. > > I have created ZSK and KSK keys for the ipa subdomain. I'm wondering if > there's an easier way to import them than manually creating the DNSKEY 256 > and 257 records. I've searched, fruitlessly, for the information in the doc > and can only find passing references to DNSSEC, with no key import > instructions. > > rndc dnssec -status <myipa>.domain.com > > reports > > Zone does not have dnssec-policy > > Do I change that in named config files or is there a prefered way to set > it via freeipa? After I sent my first attempt at this message, I stumbled > upon the fact that Bind had updated to support a fully automatic key > management. At my last digging, it still required the admin to generate and > install keys manually. All my other servers are properly using the default > dnssec-policy and inline-signing is yes. > > At some point I'll remember that I can't send mailing list emails from > Thunderbird without ProtonMail signing it. > > Thanks in advance, > Eric > > > Sent with Proton Mail <https://proton.me/> secure email. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
