Alexander and others who care about dnssec:
Given the ongoing problems with opendnssec/libp11 and the many freeipa
routines and resources dedicated to working around it, has bind9's
native dnssec implementation improved to the point we can greatly reduce
the freeipa package count by just using bind's dnssec provisions?
What's the roadmap on that?
My dnssec database was corrupted by a recent freeipa upgrade that
reverted to upstream code I patched locally some time ago. The upstream
doesn't really comprehend/value/test multi-concurrent thread machine
speed key/context/pin updates as deployed by opendnssec / softhsm2.
Even after I fixed the database by rolling keys and identifying corrupt
files, etc, etc , the 'new and improved' upstream code corrupted it
again within minutes. So I've disabled dnssec entirely as money to
fund those minutes has run out.
I suspect if you only have one dnssec enabled domain, it may work for
you as is. But beyond that... you are on borrowed time.
Gave it all I could, hope someone else fixes it (or provides some $ for
me to do it...)
Best to all
Harry
Show replies by date