#8647 Incorrect DNSKEY created when DNSSEC enabled for zone
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1912556

Description of problem:
When DNSSEC is enabled for the zone two DNSKEYs should be created for the zone:
one KSK key (for trust chain connection from upper level zone) and one ZSK key
for record signing.
Currently two KSK DNSKEYs are created.

Version-Release number of selected component (if applicable):
ipa-selinux-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-dns-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-client-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-server-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-server-trust-ad-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-client-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch

How reproducible:
Probably always. Visible in 5 different zones (not yet exposed on the
Internet).

Steps to Reproduce:
1. Create zone as usual.
2. Enable DNSSEC: ipa dnszone-mod <zonename> --dnssec=true
3. Enable NSEC3:  ipa dnszone-mod <zonename> --nsec3param-rec="1 1 10 $(xxd -ps
-l8 -u /dev/urandom)"

Actual results:
2 KSKs attached to the zone.

Expected results:
1 KSK and 1 ZSK attached to the zone.

Additional info:
Key listing from opendnssec:
filippa:~# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-enforcer key list -v
-z <xxx>.eu
Keys:
Zone:                           Keytype: State:    Date of next transition:
Size: Algorithm: CKA_ID:                          Repository: KeyTag:
<xxx>.eu                        KSK      publish   2021-01-05 08:43:35
3072  8          820cd89ce8c3bc9d191e6f1afc664fe4 SoftHSM     36710
<xxx>.eu                        ZSK      ready     2021-01-05 08:43:35
2048  8          250d09a4724d46676e4b7fe0b77eb9ba SoftHSM     24045

Please note keytypes in the listing above: 1 KSK & 1 ZSK.

dig output:
filippa:~# dig <xxx>.eu dnskey +short +rrcomments
257 3 8 AwEAAbv1+PERvOibE315J7G0z6X9G/gXzCYQjO53E1jawFy+Jskg/aQ8
A5o5cWlR8ip5z4TLH1qwRUznvbZAWUNi26EqSCLL/oEYLfl8ibexRWip
5i12D1lxPtl4j6rYDUMeLmu7Nmt6uMRyG8FmzwKKmNLG76U4EJTjGgO+
7xdDzU9U6pppwxJD3RCeuYFHn78pxsNwnEOYo5ICOCXCHuTZw6YWq1oH
JY+nuzBhtFlU82T4p2MoqvNlfRjd+85yIgJVImvXpyMLWBTVcgpv1goY
nb3wF3LMlWJU8wZVLTXuJjQrXWyfnrATzGe7lKmMRNxhtvGoEXAmRjFP 4auS74Oh1SE=  ; KSK;
alg = RSASHA256 ; key id = 24046
257 3 8 AwEAAcCeLyVFPsCDR2b8q1cB4O+qPzroVdyN56/SseHPFwHsEXwHqbOD
HKWKl8inUc2fDK0rboPP0CrMxxTDWC+JDY4CCqGZcYO8YeIR04BRb9A9
IiCvtWvxBo8qNhLvDGFhFaUHVWIsJfBl+PtkgmbbwGZ6k7JuO1vnxCVc
sP9ZvLfFqdj6CeIGhCmISKTZ/iNYIX4hZ1o7NrYhD+o6d+f3v69Q8Q9F
8aTUeG5KwDPlYQMMyI6SxKaSO1lR/8DrCAdn7KOMW6hZmB9b+l5t4RrW
/eJ76DlISHGpxZTUkXGRDKah6yGpDK0CyQRa8uUPsQ6WJ3V/xyWF0SJ1
0HRPk3OwgqUm6iSukOdBIgIb6Gfrtxpsi6VkLiq2QDGOFou6RD7F5ddU
tvlao+AWrnQ75HqyHvvzjtYHEXTsBCXb+9oWEDi0jfaFlKVeO+xmKKd5
6NuzBAwzSRsgtucxAqjB+IB6Yt8DEW+jaH7J10NUkeMiQEFD/hW26Gsg DdaZIZaLTI2Ihw==  ;
KSK; alg = RSASHA256 ; key id = 36710

Please note BOTH keys are marked as KSK (both in comments and by keyflags in
the first field: 257).

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1912556

2 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

2 years ago

Metadata Update from @frenaud:
- Issue tagged with: test-failure

2 years ago

The test test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust is also failing while checking the chain of signature using drill command, likely related to this issue. Please see PR #649, test_dnssec.

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5444

2 years ago

master:

  • cdfc863 dnssec: fix the key type with OpenDNSSEC 2.1
  • 7902c78 ipatests: add a test for ZSK/KSK keytype in DNSKEY record
  • ca17a81 OpenDNSSEC: fix timezone in key creation date

ipa-4-9:

  • 4476236 dnssec: fix the key type with OpenDNSSEC 2.1
  • dd21d06 ipatests: add a test for ZSK/KSK keytype in DNSKEY record
  • 2a51892 OpenDNSSEC: fix timezone in key creation date

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

ipa-4-8:

  • c02544c azure: bump F32->F34
  • 7802e14 freeipa.spec: do not use jsl for linting on Fedora 34+
  • 7433be9 azure: Collect systemd boot log
  • 523a9f8 azure: Enforce multi-user.target as default systemd's target
  • 677df14 azure: Wait for systemd booted
  • 04c90fb azure: Remove no longer needed repo
  • 8fea2f6 azure: Mask systemd-resolved
  • 976a3bf ipatests: Update expectations for test_detect_container
  • e573163 azure: Add workaround for PhantomJS against OpenSSL 1.1.1
  • 0123795 azure: Warn about memory issues
  • 835df31 BIND: Setup logging
  • 2a9dea8 ipatests: Setup and collect BIND logs
  • e23f976 azure: Run Base and XMLRPC tests is isolated network
  • 34e1f6a ipatests: Handle network-isolated mode
  • c8e5867 dnsutil: Improvements for IPA DNS Resolver
  • fe0b5ff dns: get_reverse_zone: Ignore resolver's timeout
  • d40306b pytest: Show extra summary information for all except passed tests
  • ff70aac ipatests: Ignore warnings on failed to read files on tarring
  • cb3b396 ipatests: Suppress list trust or certificates
  • 21a5201 azure: Collect installed packages
  • c65c7eb ipatests: dnssec: Add alternative approach for checking chain of trust
  • 6710ff4 azure: Warn about extra and missing gating tests compared to PR-CI
  • a5730f5 azure: Re-balance tests envs
  • e66eb48 azure: coredump: Wait for systemd fully booted
  • 6561fc6 ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
  • 8bf9538 azure: Make it possible to adjust Docker resources per test env
  • 2a7f21a ipa-kdb: fix gcc complaints in kdb tests
  • e94261f Set client keytab location for 389ds
  • ba6eb85 dnssec: fix the key type with OpenDNSSEC 2.1
  • 7daf47c ipatests: add a test for ZSK/KSK keytype in DNSKEY record
  • b8242e6 handle Y2038 in timestamp to datetime conversions
  • 5bfe16a OpenDNSSEC: fix timezone in key creation date
  • 56746ec freeipa.spec: bump the required version of 389ds
  • 2b8ccc8 freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
  • a868604 ipatests: collect config files for NetworkManager and systemd-resolved
  • bc9ca47 ipatests: add utility for managing domain name resolvers
  • cdc78af ipatests: setup resolvers during replica and client installations
  • 549ef48 ipatests: do not manually modify /etc/resolv.conf in tests
  • 324ba20 ipatests: disable systemd-resolved cache
  • 9a28022 ipatests: mock resolver factory
  • 63a3cff ipatests: always try to create A records for hosts in IPA domain
  • d9744e7 ipatests: do not configure nameserver when installing client and replica
  • 47e9df1 ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
  • bca86ce pr-ci: Run tests on F34
  • 0b8517d Revert "ipatests: configure client to use IPA server as DNS resolver"
  • d43d9ca ipatests: Fetch sudo rules without time offset

Login to comment on this ticket.

Metadata