[Opendnssec-user] Re: OpenDNSSEC & dynamic updates & FreeIPA

Petr Spacek pspacek at redhat.com
Fri Oct 31 15:14:06 UTC 2014

On 6.10.2014 19:15, Kevin Thompson wrote:
> Howdy all,
> I was reading the release plan[1], and I saw mentioned 'Signer - Dynamic
> updates'. Could you elaborate on that?
> Currently, the best method I've found for integrating ODS with a dynamic zone
> on one server is the CentralNIC pattern[2] - the unsigned zone is served by a
> master from a private view, injected into ODS by a DNS input adapter, signed
> file goes out, and finally the signed file is served statically by the master
> on a public view. This method works, but is a little cumbersome.
> I'm really hoping that what is meant by 'dynamic updates' is that ODS would
> take notifies to know when the dynamic zone is changed, would download the
> updates via IXFR, and then directly add/update/delete records as needed via
> dynamic updates. If so, this would be huge, since it would greatly ease
> integration of ODS into dynamic zones. I imagine the similarly mentioned
> "Database input and output adapter" would work the same way, but would
> directly update a database storing the zone.
> Is my understanding of the release plan correct? If so, I'm really excited for
> the future of OpenDNSSEC.

If you want to experiment you can take a look at FreeIPA 4.1.0.

It integrates OpenDNSSEC 1.4.x with BIND 9.9.x server backed by LDAP database 
to one (almost :-) seamless system.

Please keep in mind that this solution is intended mainly for internal 
deployments so it is focused on ease of use and maintainability instead of 

 From user's point of view, it allows you to click on 'DNSSEC signing enabled' 
in web interface (or FreeIPA CLI/API) and it will generate keys for you and 
sign the zone automatically using BIND's in-line signing feature.

All you have to do after that is to put DS record to your parent zone and call 
OpenDNSSEC's ds-seen command.

As a result, dynamic updates (GSS-TSIG only at this moment) are fully 
supported and changes will be reflected in the signed version almost immediately.

You can read more about it on:

Or contact freeipa-users at redhat.com mailing list.

Have a nice day!

Petr Spacek  @  Red Hat

More information about the Opendnssec-user mailing list