Reported by user: https://www.redhat.com/archives/freeipa-users/2016-August/msg00290.html
Use a OpenDNSSEC policy which creates keys with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
(This might happen for other algorithms, too.)
The key is not properly converted to BIND key files and DNSSEC signing does not work.
Log from ipa-dnskeysyncd daemon:
ipa-dnskeysyncd
ipa : DEBUG args=/usr/sbin/dnssec-keyfromlabel-pkcs11 -K /var/named/dyndb-ldap/ipa/master/myzone.com/tmp5dI2FC -a RSASHA1NSEC3SHA1 -l pkcs11:object=a00001;pin-source=/var/lib/ipa/dnssec/softhsm_pin -I none -D none -P 20140731111634 -A 20140731111634 -f KSK myzone.com. ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr=dnssec-keyfromlabel: fatal: unknown algorithm RSASHA1NSEC3SHA1
Apparently, some values in python-dns's dns.dnssec._algorithm_by_text values are different than values expected by BIND's dnssec-keyfromlabel tool. IPA needs to convert the values into format expected by BIND.
python-dns
dns.dnssec._algorithm_by_text
dnssec-keyfromlabel
related #6223
Metadata Update from @pspacek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @mbasti: - Issue assigned to tkrizek (was: mbasti) - Issue close_status updated to: None
Metadata Update from @tkrizek: - Assignee reset
Metadata Update from @frenaud: - Issue set to the milestone: DNSSEC (was: FreeIPA 4.5 backlog)
Login to comment on this ticket.