#5348 [tracker] dig + dnssec does not display signature of freshly created root zone
Closed: fixed 4 months ago by ofayans. Opened 3 years ago by ofayans.

On a freshly installed ipa configured to be dnssec-master:

ipa-dns-install --dnssec-master

When I create a dnssec-signed root zone with one record in it

ipa dnszone-add --dnssec true .
ipa dnsrecord-add "." rhts.englab.brq.redhat.com. --ns-rec=dell-pe1950-06.rhts.englab.brq.redhat.com

And then query dnssec info for this zone:

dig +dnssec @localhost "." SOA

The response does NOT contain the key. After I restart named-pkcs11.service the key starts to be shown


This is not happening always.

Issue is caused by a bug somewhere between BIND and Softhsm storage, we have not find where exactly this happens yet.

Symptoms are that named cannot read the private keys, following entry is listed in named log

dns_dnssec_findmatchingkeys: error reading key file Kexample.test.+008+51274.private: not found

Restart of named-pkcs11 service fixes it.

FreeIPA 4.2.3 was released, moving to next bug fixing milestone.

Some patches were posted for review but IMHO it is not a complete fix yet.

Improvements of debugging has been pushed together within ticket #5334

The issue is not resolved yet.

I do not have to investigate it right now.

I do not have time to investigate it right now.

AFAIK workaround exists so it should not be a test blocker.

Test workarounds

ipa-4-3:

  • 377d75b A workaround for ticket N 5348

master:

  • 5567dff A workaround for ticket N 5348

It seems that it works now. Hopefully some underlying component was fixed.

master:

  • 8bc6775 Remove named-pkcs11 workarounds from DNSSEC tests.

Metadata Update from @ofayans:
- Issue assigned to pspacek
- Issue set to the milestone: FreeIPA 4.5

2 years ago

It is happening again :-(

Metadata Update from @mbasti:
- Custom field blocking reset (from ipa-tests)
- Issue status updated to: Open (was: Closed)

a year ago

Metadata Update from @mbasti:
- Issue assigned to tkrizek (was: pspacek)
- Issue set to the milestone: None (was: FreeIPA 4.5)

a year ago

The issue is easily reproducible running "test_dnssec" test suite.

Metadata Update from @pvoborni:
- Issue priority set to: important (was: normal)
- Issue set to the milestone: FreeIPA 4.7
- Issue tagged with: test-failure

a year ago

Metadata Update from @pvoborni:
- Issue assigned to cheimes (was: tkrizek)

10 months ago

master:

  • 6fb45d2 test_dnssec: re-add named-pkcs11 workarounds
  • dae4aac Tests: Set default TTL for DNS zones to 1 sec
  • 3a8f0bb Remove restarted_named and xfail

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 months ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

ipa-4-5:

  • a4502fe Test: fix definition of template for dnssec
  • 6700f89 test_dnssec: re-add named-pkcs11 workarounds
  • 8cbc971 Tests: Set default TTL for DNS zones to 1 sec
  • 8ae69a4 Remove restarted_named and xfail

Metadata Update from @tdudlak:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata