1115294 – [RFE] Add support for DNSSEC

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1115294 - [RFE] Add support for DNSSEC

Summary: [RFE] Add support for DNSSEC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:	829395 1044159 1044170 1044171 1061212 1097749 1097753 1117157 1117174 1119738 1121658 1122495 1193892 1196971 1204100 1261530
Blocks:	1181710 1249775 1664718
TreeView+	depends on / blocked

Reported:	2014-07-02 07:12 UTC by Martin Kosek
Modified:	2019-05-21 10:22 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ipa-4.2.0-1.el7
Doc Type:	Technology Preview
Doc Text:	.DNSSEC available as Technology Preview in IdM Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated. Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents: * link:http://tools.ietf.org/html/rfc6781#section-2[DNSSEC Operational Practices, Version 2] * link:http://dx.doi.org/10.6028/NIST.SP.800-81-2[Secure Domain Name System (DNS) Deployment Guide] * link:http://tools.ietf.org/html/rfc7583[DNSSEC Key Rollover Timing Considerations] Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices described in the link:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#sec-Recommended_Naming_Practices[Red Hat Enterprise Linux Networking Guide].
Clone Of:
Clones:	1249775 1664718 (view as bug list)
Environment:
Last Closed:	2015-11-19 12:00:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Martin Kosek 2014-07-02 07:12:34 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3801

bind-dyndb-ldap in Fedora 20 plans to introduce DNSSEC support. Add support to FreeIPA as well.

Related bind-dyndb-ldap ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Related bind-dyndb-ldap design documents:
* https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
* https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/RBTDB

Related discussion on freeipa-devel: http://www.redhat.com/archives/freeipa-devel/2013-May/msg00177.html

Major challenges in FreeIPA will be a secure synchronization of DNSSEC keys which need to be available to all FreeIPA masters with DNS support. There also should be a possibility to rotate the keys.

Comment 1 Jenny Severance 2014-07-03 14:25:14 UTC

Can you please close this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=829395

Comment 2 Martin Kosek 2014-07-04 08:03:52 UTC

I am not sure I want to do that. DNSSEC support in IPA has different scope that DNSSEC support in bind-dyndb-ldap component. It also needs to publish proper interface + secure key exchange for multi-master environment.

Comment 3 Petr Spacek 2014-07-18 12:21:27 UTC

I'm adding DS bugs which hammers performance in cases where SyncRepl is used. (SyncRepl is a requirement for bind-dyndb-ldap version which supports DNSSEC.)

Comment 4 Petr Spacek 2014-07-18 12:23:59 UTC

And also we need SyncRepl support itself.

Comment 7 Martin Kosek 2014-08-19 08:45:04 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4462

Comment 8 Martin Kosek 2014-10-21 10:32:25 UTC

Initial upstream support (#3801) was fixed upstream, it will be part of FreeIPA 4.1. See details in

https://fedorahosted.org/freeipa/ticket/3801

Comment 9 Martin Kosek 2014-10-24 14:28:16 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4657

Comment 10 Martin Kosek 2014-10-24 14:28:33 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4658

Comment 11 Petr Viktorin 2014-10-29 14:04:51 UTC

Improvements/fixes are being applied upstream, see https://fedorahosted.org/freeipa/ticket/4657 for details.

Comment 12 Petr Vobornik 2014-11-13 13:01:11 UTC

Ticket #4658 Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/82c3c2b242c3f2b8113c2021cf4d17cab54c2a86  
https://fedorahosted.org/freeipa/changeset/e28eb13907053ca9d49e4bf66cb32820f1a2ef1d
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/814479a5678741f106283b61666e4bd093852fa7 
https://fedorahosted.org/freeipa/changeset/51795254b2384a4b12908804b53c3da56e70f946

Missed from 4657:
master:
https://fedorahosted.org/freeipa/changeset/42724a4b22f9c7025254c875e9f8fcba17f8b9bf
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/a21443168e6e23e6f0485a2d71861e6e8fead67c

Comment 13 Petr Spacek 2014-11-14 19:34:21 UTC

Adding dependencies client side: These changes on clients make the feature actually useful.

IMHO we should consider implementing https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver in RHEL too.

Comment 14 Petr Viktorin 2014-11-20 15:52:19 UTC

Compiler warnings fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/58737c7791b44d9d7cd011d3385bf66ea24d9830
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/b902ec294387eef29d07ab2ccff9ff17625aaa9c

Comment 15 Petr Vobornik 2015-03-06 14:49:32 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4933

Comment 17 Tomas Babej 2015-03-18 11:35:52 UTC

Related changes:
master:
https://fedorahosted.org/freeipa/changeset/7b6bee030dac08807f254fdf58ba867c36cab23d
https://fedorahosted.org/freeipa/changeset/26d6c6fbbbd6d024d82b1ab515d300e6113d2c34
ipa-4-1:
https://fedorahosted.org/freeipa/changeset]/41ca3fb499f42c740b183865acad2007e9916b48

Comment 18 Jan Cholasta 2015-04-02 08:53:35 UTC

master:
https://fedorahosted.org/freeipa/changeset/1216da8b9f2100cacebbeb8fe2dd91e22b954ba7
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/e27b9d18cee86b7634a0ec23042985c23096098e

Comment 19 Jan Cholasta 2015-05-19 12:49:17 UTC

master:
https://fedorahosted.org/freeipa/changeset/ebd91461132d2aa7d5166d03ccfe7b0d49df2c8a
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/d7cfc1107bcd63eaa4c5282672c088dcbd1ebf9b

Comment 20 Jan Cholasta 2015-05-19 12:52:16 UTC

master:
https://fedorahosted.org/freeipa/changeset/96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/9b7fe37c9d3a8a11c3485c73fd67f90298e793c5

Comment 21 Petr Vobornik 2015-06-11 11:14:37 UTC

master:
https://fedorahosted.org/freeipa/changeset/9aa6124b39267148c4c1b9a8ee4209fb859b9c42
https://fedorahosted.org/freeipa/changeset/f8c8c360f1957a39ce98df61752abbfa1df9864b
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/e8f39566eb8bf73ac907f7db74fbc8fc78ce9e12
https://fedorahosted.org/freeipa/changeset/9a90ef2982573db216fac1c23406aa70bc4f32e4

Comment 22 Petr Vobornik 2015-06-11 14:09:45 UTC

master:
https://fedorahosted.org/freeipa/changeset/d84680473b079ee3e568465bd04029d2a5f1f9c3
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/c5e6f97535540287065ce1f244883b5582841ba4

Comment 23 Petr Vobornik 2015-06-15 07:44:28 UTC

master:
https://fedorahosted.org/freeipa/changeset/f763b137ee1eee228f53b456b8245b1499185ef7
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/a5d8d79f76ce39817e16a64fe937c9bb34aa5d6a

Comment 24 Petr Vobornik 2015-06-24 12:38:54 UTC

Changes for bug 1229430
master:
https://fedorahosted.org/freeipa/changeset/33bc9e7faca55497e00a3f6c08f4bff7262e290c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/6f9d16fd0014427db223fe82f021b12f4db2fe37

Comment 25 Tomas Babej 2015-06-29 11:35:50 UTC

master:
https://fedorahosted.org/freeipa/changeset/9b6f1a4f9f7718819105da10a4ab20e66fe578b5
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/bb396d4e83d629b0e89b59a7fd04544f8db9c984

Comment 26 Tomas Babej 2015-06-29 12:35:32 UTC

ipa-4-1:
https://fedorahosted.org/freeipa/changeset/17fcdc3b2924567735a7efac47599b00fc0c8844
https://fedorahosted.org/freeipa/changeset/8fc6fa7b72270a2e69894530f06727492e412cfe
https://fedorahosted.org/freeipa/changeset/fd5ace8a00e490d2d5d960efc895c56d4e5aaaa4
https://fedorahosted.org/freeipa/changeset/70ee45cc25306d34ccc2011529b61414b8a4ac3f
https://fedorahosted.org/freeipa/changeset/4840b507b8abfb1b0de27db4348902b6c74d2d86
https://fedorahosted.org/freeipa/changeset/a9831406bf0d205ac431aadc32b7ef03f74a2bfc
master:
https://fedorahosted.org/freeipa/changeset/c37e83f4b3c19df305648bab9a12e81956c8e232
https://fedorahosted.org/freeipa/changeset/68d0f641babb28d6b1d486aca7a113e305521d45
https://fedorahosted.org/freeipa/changeset/fd2340649fb8888d946d7e17e4711e802cbbd239
https://fedorahosted.org/freeipa/changeset/6a8fb04460a127dcf03d531c4e3956016df91a3e
https://fedorahosted.org/freeipa/changeset/579d30571ba15b9b62b32472ce5f04a7c561ee0d
https://fedorahosted.org/freeipa/changeset/f9cbdd4915d13cd6e20fe7631d3c95c1352860f9

Comment 27 Tomas Babej 2015-07-01 10:27:14 UTC

master:
https://fedorahosted.org/freeipa/changeset/fe6819eb9d7d9f84616daadb5f07072a3dfa02b1
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/840bf5f41a532252db329cbdab0baf544f2448b2

Comment 29 Martin Kosek 2015-07-07 08:12:32 UTC

FreeIPA ticket 4462 will not be part of this feature, this part was not done upstream.

Comment 30 Martin Kosek 2015-07-07 08:15:39 UTC

The intended functionality is finished upstream, the feature is now maintenance mode. I am thus moving this RFE to POST.

Comment 35 Petr Spacek 2015-08-26 11:19:52 UTC

Here is more descriptive text for release notes.

Comment 36 Kaleem 2015-09-23 12:56:36 UTC

Verified.

IPA/bind* rpm version:
======================
[root@dhcp207-229 ~]# rpm -q ipa-server bind bind-pkcs11 bind-dyndb-ldap opendnssec
ipa-server-4.2.0-11.el7.x86_64
bind-9.9.4-29.el7.x86_64
bind-pkcs11-9.9.4-29.el7.x86_64
bind-dyndb-ldap-8.0-1.el7.x86_64
opendnssec-1.4.7-3.el7.x86_64
[root@dhcp207-229 ~]#

Done verification of this RFE by execution of following test cases.
-------------------------------------------------------------------
1. Installation of DNSSEC component with a lot of combinations with forwarders(DNSSEC enabled/disabled, DNS component not installed etc), installation of dnssec component after upgrade to RHEL-7.2 .
2. Migration of DNSSEC component to another IPA replica .
3. DNSzone/DNSrecord signing with verification of dnssec chain of trust, enabling/disabling of signing on dnszone .
4. DNSForward zone addition where DNSSEC enabled/disabled.

Comment 38 Petr Spacek 2015-10-22 06:59:29 UTC

I've added following link to the doc text:

DNSSEC Key Rollover Timing Considerations:
http://tools.ietf.org/html/rfc7583

Comment 40 errata-xmlrpc 2015-11-19 12:00:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.