freeipa.git/daemons/dnssec, branch mindatefix FreeIPA patches Remove unused locking "context manager" 2016-06-17T16:27:22+00:00 David Kupka dkupka@redhat.com 2016-06-17T13:12:29+00:00 45bb2ad045654c020fe6ac4e77ed2741cd35d717 Class ods_db_lock is unused since August 2015. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Class ods_db_lock is unused since August 2015.

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: Log debug messages at log level DEBUG 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-11-24T11:49:16+00:00 ae2462738b47c0f00133ae377854b31ddcb912a2 https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: ipa-ods-exporter: add ldap-cleanup command 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-20T18:19:28+00:00 9fbbe3e574c5f42e3896d9c3bee22db84d46501d Command "ldap-cleanup <zone name>" will remove all key metadata from LDAP. This can be used manually in sequence like: ldap-cleanup <zone name> update <zone name> to delete all key metadata from LDAP and re-export them from OpenDNSSEC. ldap-cleanup command should be called when disabling DNSSEC on a DNS zone to remove stale key metadata from LDAP. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Command "ldap-cleanup <zone name>" will remove all key metadata from
LDAP. This can be used manually in sequence like:
ldap-cleanup <zone name>
update <zone name>
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.

ldap-cleanup command should be called when disabling DNSSEC on a DNS
zone to remove stale key metadata from LDAP.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-15T14:22:45+00:00 ddf7397a4beb8095a24981998461aecc0e1ec40d Key purging has to be only only after key metadata purging so ipa-dnskeysyncd on replices does not fail while dereferencing non-existing keys. https://fedorahosted.org/freeipa/ticket/5334 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.

https://fedorahosted.org/freeipa/ticket/5334

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: logging improvements in ipa-ods-exporter 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-12-15T13:16:52+00:00 6bdc18d0c538c658ae6022b127bf5776436f68e7 https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-11-24T11:49:40+00:00 9ff1c0ac297cba8c0d5a87f6ecfa7d41169476c0 Previously we published timestamps of planned state changes in LDAP. This led to situations where state transition in OpenDNSSEC was blocked by an additional condition (or unavailability of OpenDNSSEC) but BIND actually did the transition as planned. Additionally key state mapping was incorrect for KSK so sometimes KSK was not used for signing when it should. Example (for code without this fix): - Add a zone and let OpenDNSSEC to generate keys. - Wait until keys are in state "published" and next state is "inactive". - Shutdown OpenDNSSEC or break replication from DNSSEC key master. - See that keys on DNS replicas will transition to state "inactive" even though it should not happen because OpenDNSSEC is not available (i.e. new keys may not be available). - End result is that affected zone will not be signed anymore, even though it should stay signed with the old keys. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.

Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.

Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
  though it should not happen because OpenDNSSEC is not available
  (i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
  though it should stay signed with the old keys.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: Improve error reporting from ipa-ods-exporter 2016-01-07T13:13:23+00:00 Petr Spacek pspacek@redhat.com 2015-11-26T13:56:00+00:00 9bcb9887eab496a98a46c149c93c517c5dcb99c7 https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove unused imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T15:06:03+00:00 e4075b1fe26a608cd1f3778ee1f655a5f5700c65 This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits 2015-10-07T12:28:50+00:00 Petr Spacek pspacek@redhat.com 2015-10-06T07:43:43+00:00 0b797da56095801bfa80653465c04bae0809df8d ldap2 internally does LDAP search to find out what LDAP search limits should be used (!). The problem is that this internal search has hardcoded limits and throws LimitExceeded exception when DS is too slow. DNSSEC daemons do not need any abstractions from ldap2 so we are going to use ipaldap directly. This will avoid the unnecessary search and associated risks. https://fedorahosted.org/freeipa/ticket/5342 Reviewed-By: Martin Basti <mbasti@redhat.com> 
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.

DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.

https://fedorahosted.org/freeipa/ticket/5342

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. 2015-09-03T16:22:53+00:00 Petr Spacek pspacek@redhat.com 2015-09-01T16:16:06+00:00 ecf796e9c021a3b06e670f0602e8a10dcfd6f1f1 https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>