#6229 DNSSEC key distribution does not work some key types
Opened 4 years ago by pspacek. Modified a month ago

Reported by user:
https://www.redhat.com/archives/freeipa-users/2016-August/msg00290.html

Steps to reproduce

Use a OpenDNSSEC policy which creates keys with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).

(This might happen for other algorithms, too.)

Symptom

The key is not properly converted to BIND key files and DNSSEC signing does not work.

Log from ipa-dnskeysyncd daemon:

ipa         : DEBUG    args=/usr/sbin/dnssec-keyfromlabel-pkcs11 -K
/var/named/dyndb-ldap/ipa/master/myzone.com/tmp5dI2FC -a
RSASHA1NSEC3SHA1 -l
pkcs11:object=a00001;pin-source=/var/lib/ipa/dnssec/softhsm_pin -I none
-D none -P 20140731111634 -A 20140731111634 -f KSK myzone.com.
ipa         : DEBUG    Process finished, return code=1
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=dnssec-keyfromlabel: fatal: unknown
algorithm RSASHA1NSEC3SHA1

Analysis

Apparently, some values in python-dns's dns.dnssec._algorithm_by_text values are different than values expected by BIND's dnssec-keyfromlabel tool. IPA needs to convert the values into format expected by BIND.


Metadata Update from @pspacek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog

4 years ago

Metadata Update from @mbasti:
- Issue assigned to tkrizek (was: mbasti)
- Issue close_status updated to: None

3 years ago

Metadata Update from @tkrizek:
- Assignee reset

2 years ago

Metadata Update from @frenaud:
- Issue set to the milestone: DNSSEC (was: FreeIPA 4.5 backlog)

a month ago

Login to comment on this ticket.

Metadata