DNSSEC#
Overview#
The Domain Name System Security Extensions (DNSSEC) technology is a set of extensions to DNS allowing clients to check denial of existence and data integrity of the DNS query results.
Design#
FreeIPA 4.0.0 introduced experimental DNSSEC implementation which provided only minimal user interface and depends on manual key management (done by administrator).
FreeIPA 4.1.0 and newer provides automatic key management (bind-dyndb-ldap’s design page). Disadvantage of this approach is that one replica is single-point-of-failure (for key management). More information available here.