Reported by user:
Use a OpenDNSSEC policy which creates keys with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1).
(This might happen for other algorithms, too.)
The key is not properly converted to BIND key files and DNSSEC signing does not work.
Log from ipa-dnskeysyncd daemon:
ipa : DEBUG args=/usr/sbin/dnssec-keyfromlabel-pkcs11 -K
pkcs11:object=a00001;pin-source=/var/lib/ipa/dnssec/softhsm_pin -I none
-D none -P 20140731111634 -A 20140731111634 -f KSK myzone.com.
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=
ipa : DEBUG stderr=dnssec-keyfromlabel: fatal: unknown
Apparently, some values in python-dns's dns.dnssec._algorithm_by_text values are different than values expected by BIND's dnssec-keyfromlabel tool. IPA needs to convert the values into format expected by BIND.
Metadata Update from @pspacek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @mbasti:
- Issue assigned to tkrizek (was: mbasti)
- Issue close_status updated to: None
Metadata Update from @tkrizek:
- Assignee reset
Metadata Update from @frenaud:
- Issue set to the milestone: DNSSEC (was: FreeIPA 4.5 backlog)
to comment on this ticket.