diff options
| author | Petr Spacek <pspacek@redhat.com> | 2015-11-24 12:49:40 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-01-07 14:13:23 +0100 |
| commit | 9ff1c0ac297cba8c0d5a87f6ecfa7d41169476c0 (patch) | |
| tree | 5019c344a8a5210ab5deeaafb2eaf40608b18a0b /daemons/ipa-kdb | |
| parent | 9bcb9887eab496a98a46c149c93c517c5dcb99c7 (diff) | |
| download | freeipa-9ff1c0ac297cba8c0d5a87f6ecfa7d41169476c0.tar.gz freeipa-9ff1c0ac297cba8c0d5a87f6ecfa7d41169476c0.tar.xz freeipa-9ff1c0ac297cba8c0d5a87f6ecfa7d41169476c0.zip | |
DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.
Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.
Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
though it should not happen because OpenDNSSEC is not available
(i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
though it should stay signed with the old keys.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb')
0 files changed, 0 insertions, 0 deletions