DNSSEC: installation

Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>

1 files changed, 51 insertions, 5 deletions

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index be9930746..73afadf56 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -23,7 +23,8 @@ from optparse import OptionGroup, SUPPRESS_HELP
 
 import krbV
 
-from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
+from ipaserver.install import (service, bindinstance, ntpinstance,
+    httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
 from ipaserver.install.installutils import *
 from ipaserver.install import installutils
 from ipapython import version
@@ -56,6 +57,8 @@ def parse_options():
                       default=False, help="Do not create new reverse DNS zone")
     parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
                       default=False, help="Disable DNSSEC validation")
+    parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
+                      default=False, help="Setup server to be DNSSEC key master")
     parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
                       type="string",
                       help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
@@ -99,14 +102,40 @@ def main():
     print ""
     print "This includes:"
     print "  * Configure DNS (bind)"
+    print "  * Configure SoftHSM (required by DNSSEC)"
+    print "  * Configure ipa-dnskeysyncd (required by DNSSEC)"
+    if options.dnssec_master:
+        print "  * Configure ipa-ods-exporter (required by DNSSEC key master)"
+        print "  * Configure OpenDNSSEC (required by DNSSEC key master)"
+        print "  * Generate DNSSEC master key (required by DNSSEC key master)"
+    print ""
+    print "NOTE: DNSSEC zone signing is not enabled by default"
+    print ""
+    if options.dnssec_master:
+        print "DNSSEC support is experimental!"
+        print ""
+        print "Plan carefully, current version doesn't allow you to move DNSSEC"
+        print "key master to different server and master cannot be uninstalled"
+        print ""
     print ""
     print "To accept the default shown in brackets, press the Enter key."
     print ""
 
+    if options.dnssec_master and not options.unattended and not ipautil.user_input(
+            "Do you want to setup this IPA server as DNSSEC key master?",
+            False):
+        sys.exit("Aborted")
+
     # Check bind packages are installed
-    if not bindinstance.check_inst(options.unattended):
+    if not (bindinstance.check_inst(options.unattended) and
+            dnskeysyncinstance.check_inst()):
         sys.exit("Aborting installation.")
 
+    if options.dnssec_master:
+        # check opendnssec packages are installed
+        if not opendnssecinstance.check_inst():
+            sys.exit("Aborting installation")
+
     # Initialize the ipalib api
     cfg = dict(
         in_server=True,
@@ -115,9 +144,6 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
-    if bindinstance.named_conf_exists():
-        sys.exit("\nDNS is already configured in this IPA server.")
-
     # Create a BIND instance
     if options.unattended and not options.dm_password:
         sys.exit("\nIn unattended mode you need to provide at least the -p option")
@@ -135,6 +161,14 @@ def main():
     except errors.ACIError:
         sys.exit("Password is not valid!")
 
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
+    if options.dnssec_master:
+        dnssec_masters = ods.get_masters()
+        # we can reinstall current server if it is dnssec master
+        if not api.env.host in dnssec_masters and dnssec_masters:
+            print "DNSSEC key master(s):", u','.join(dnssec_masters)
+            sys.exit("Only one DNSSEC key master is supported in current version.")
+
     ip_addresses = get_server_ip_address(api.env.host, fstore,
         options.unattended, True, options.ip_addresses)
 
@@ -180,6 +214,18 @@ def main():
                no_dnssec_validation=options.no_dnssec_validation)
     bind.create_instance()
 
+    # on dnssec master this must be installed last
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
+    dnskeysyncd.create_instance(api.env.host, api.env.realm)
+    if options.dnssec_master:
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
+
+        ods_exporter.create_instance(api.env.host, api.env.realm)
+        ods.create_instance(api.env.host, api.env.realm)
+
+    dnskeysyncd.start_dnskeysyncd()
+    bind.start_named()
+
     # Restart http instance to make sure that python-dns has the right resolver
     # https://bugzilla.redhat.com/show_bug.cgi?id=800368
     http = httpinstance.HTTPInstance(fstore)