DNSSEC: installation

Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>

install/tools/ipa-dns-install

@@ -23,7 +23,8 @@ from optparse import OptionGroup, SUPPRESS_HELP
 
 import krbV
 
-from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
+from ipaserver.install import (service, bindinstance, ntpinstance,
+    httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
 from ipaserver.install.installutils import *
 from ipaserver.install import installutils
 from ipapython import version
@@ -56,6 +57,8 @@ def parse_options():
                       default=False, help="Do not create new reverse DNS zone")
     parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
                       default=False, help="Disable DNSSEC validation")
+    parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
+                      default=False, help="Setup server to be DNSSEC key master")
     parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
                       type="string",
                       help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
@@ -99,14 +102,40 @@ def main():
     print ""
     print "This includes:"
     print "  * Configure DNS (bind)"
+    print "  * Configure SoftHSM (required by DNSSEC)"
+    print "  * Configure ipa-dnskeysyncd (required by DNSSEC)"
+    if options.dnssec_master:
+        print "  * Configure ipa-ods-exporter (required by DNSSEC key master)"
+        print "  * Configure OpenDNSSEC (required by DNSSEC key master)"
+        print "  * Generate DNSSEC master key (required by DNSSEC key master)"
+    print ""
+    print "NOTE: DNSSEC zone signing is not enabled by default"
+    print ""
+    if options.dnssec_master:
+        print "DNSSEC support is experimental!"
+        print ""
+        print "Plan carefully, current version doesn't allow you to move DNSSEC"
+        print "key master to different server and master cannot be uninstalled"
+        print ""
     print ""
     print "To accept the default shown in brackets, press the Enter key."
     print ""
 
+    if options.dnssec_master and not options.unattended and not ipautil.user_input(
+            "Do you want to setup this IPA server as DNSSEC key master?",
+            False):
+        sys.exit("Aborted")
+
     # Check bind packages are installed
-    if not bindinstance.check_inst(options.unattended):
+    if not (bindinstance.check_inst(options.unattended) and
+            dnskeysyncinstance.check_inst()):
         sys.exit("Aborting installation.")
 
+    if options.dnssec_master:
+        # check opendnssec packages are installed
+        if not opendnssecinstance.check_inst():
+            sys.exit("Aborting installation")
+
     # Initialize the ipalib api
     cfg = dict(
         in_server=True,
@@ -115,9 +144,6 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
-    if bindinstance.named_conf_exists():
-        sys.exit("\nDNS is already configured in this IPA server.")
-
     # Create a BIND instance
     if options.unattended and not options.dm_password:
         sys.exit("\nIn unattended mode you need to provide at least the -p option")
@@ -135,6 +161,14 @@ def main():
     except errors.ACIError:
         sys.exit("Password is not valid!")
 
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
+    if options.dnssec_master:
+        dnssec_masters = ods.get_masters()
+        # we can reinstall current server if it is dnssec master
+        if not api.env.host in dnssec_masters and dnssec_masters:
+            print "DNSSEC key master(s):", u','.join(dnssec_masters)
+            sys.exit("Only one DNSSEC key master is supported in current version.")
+
     ip_addresses = get_server_ip_address(api.env.host, fstore,
         options.unattended, True, options.ip_addresses)
 
@@ -180,6 +214,18 @@ def main():
                no_dnssec_validation=options.no_dnssec_validation)
     bind.create_instance()
 
+    # on dnssec master this must be installed last
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
+    dnskeysyncd.create_instance(api.env.host, api.env.realm)
+    if options.dnssec_master:
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
+
+        ods_exporter.create_instance(api.env.host, api.env.realm)
+        ods.create_instance(api.env.host, api.env.realm)
+
+    dnskeysyncd.start_dnskeysyncd()
+    bind.start_named()
+
     # Restart http instance to make sure that python-dns has the right resolver
     # https://bugzilla.redhat.com/show_bug.cgi?id=800368
     http = httpinstance.HTTPInstance(fstore)

install/tools/ipa-replica-install

@@ -33,7 +33,7 @@ from ipapython import ipautil
 
 from ipaserver.install import dsinstance, installutils, krbinstance, service
 from ipaserver.install import bindinstance, httpinstance, ntpinstance
-from ipaserver.install import memcacheinstance
+from ipaserver.install import memcacheinstance, dnskeysyncinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
 from ipaserver.install.installutils import (
@@ -275,7 +275,12 @@ def install_bind(config, options):
                config.reverse_zones, ca_configured=options.setup_ca,
                no_dnssec_validation=options.no_dnssec_validation)
     bind.create_instance()
-
+    print ""
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(
+        dm_password=config.dirman_password)
+    dnskeysyncd.create_instance(api.env.host, api.env.realm)
+    dnskeysyncd.start_dnskeysyncd()
+    bind.start_named()
     print ""
     bind.check_global_configuration()
     print ""
@@ -351,7 +356,8 @@ def check_dirsrv():
         sys.exit(1)
 
 def check_bind():
-    if not bindinstance.check_inst(unattended=True):
+    if not (bindinstance.check_inst(unattended=True) and
+            dnskeysyncinstance.check_inst()):
         print "Aborting installation"
         sys.exit(1)
 

install/tools/ipa-server-install

@@ -49,6 +49,9 @@ except ImportError:
 from ipaserver.install import dsinstance
 from ipaserver.install import krbinstance
 from ipaserver.install import bindinstance
+from ipaserver.install import dnskeysyncinstance
+from ipaserver.install import opendnssecinstance
+from ipaserver.install import odsexporterinstance
 from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
@@ -894,7 +897,8 @@ def main():
 
     # check bind packages are installed
     if options.setup_dns:
-        if not bindinstance.check_inst(options.unattended):
+        if not (bindinstance.check_inst(options.unattended) and
+                dnskeysyncinstance.check_inst()):
             sys.exit("Aborting installation")
 
         # Don't require an external DNS to say who we are if we are
@@ -1284,6 +1288,10 @@ def main():
         api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
 
         bind.create_instance()
+        dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
+        dnskeysyncd.create_instance(api.env.host, api.env.realm)
+        dnskeysyncd.start_dnskeysyncd()
+        bind.start_named()
         print ""
         bind.check_global_configuration()
         print ""