The nightly test test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust fails on rawhide, see for instance PR #824 with the following logs and report:
test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
self = <ipatests.test_integration.test_dnssec.TestInstallDNSSECFirst object at 0x7f9cf0226e50> def test_chain_of_trust(self): """ Validate signed DNS records, using our own signed root zone :return: """ dnszone_add_dnssec(self.master, example_test_zone) # delegation args = [ "ipa", "dnsrecord-add", root_zone, example_test_zone, "--ns-rec=" + self.master.hostname ] self.master.run_command(args) # TODO: test require restart tasks.restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100 ), "Zone %s is not signed (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200 ), "Zone %s is not signed (replica)" % example_test_zone # GET DNSKEY records from zone ans = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY") dnskey_rrset = ans.response.get_rrset( ans.response.answer, dns.name.from_text(example_test_zone), dns.rdataclass.IN, dns.rdatatype.DNSKEY) assert dnskey_rrset, "No DNSKEY records received" logger.debug("DNSKEY records returned: %s", dnskey_rrset.to_text()) # generate DS records ds_records = [] for key_rdata in dnskey_rrset: if key_rdata.flags != 257: continue # it is not KSK ds_records.append(dns.dnssec.make_ds(example_test_zone, key_rdata, 'sha256')) assert ds_records, ("No KSK returned from the %s zone" % example_test_zone) logger.debug("DS records for %s created: %r", example_test_zone, ds_records) # add DS records to root zone args = [ "ipa", "dnsrecord-add", root_zone, example_test_zone, # DS record requires to coexists with NS "--ns-rec", self.master.hostname, ] for ds in ds_records: args.append("--ds-rec") args.append(ds.to_text()) self.master.run_command(args) # wait until DS records it replicated assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=100, rtype="DS" ), "No DS record of '%s' returned from replica" % example_test_zone # extract DSKEY from root zone ans = resolve_with_dnssec(self.master.ip, root_zone, rtype="DNSKEY") dnskey_rrset = ans.response.get_rrset(ans.response.answer, dns.name.from_text(root_zone), dns.rdataclass.IN, dns.rdatatype.DNSKEY) assert dnskey_rrset, "No DNSKEY records received" logger.debug("DNSKEY records returned: %s", dnskey_rrset.to_text()) # export trust keys for root zone root_key_rdatas = [] for key_rdata in dnskey_rrset: if key_rdata.flags != 257: continue # it is not KSK root_key_rdatas.append(key_rdata) assert root_key_rdatas, "No KSK returned from the root zone" root_keys_rrset = dns.rrset.from_rdata_list(dnskey_rrset.name, dnskey_rrset.ttl, root_key_rdatas) logger.debug("Root zone trusted key: %s", root_keys_rrset.to_text()) # set trusted key for our root zone self.master.put_file_contents(paths.DNSSEC_TRUSTED_KEY, root_keys_rrset.to_text() + '\n') self.replicas[0].put_file_contents(paths.DNSSEC_TRUSTED_KEY, root_keys_rrset.to_text() + '\n') # verify signatures time.sleep(DNSSEC_SLEEP) args = [ "drill", "@localhost", "-k", paths.DNSSEC_TRUSTED_KEY, "-S", example_test_zone, "SOA" ] # test if signature chains are valid > self.master.run_command(args)
The test scenario is the following: - configure master as DNSSEC master - add a zone example.test. with dnssec enabled - add NS record and DS record on the zone "." for example.test - wait until the DS record is signed and replicated - get the DNSKEY and put it into /etc/trusted.key on master and replica - call drill on the master to validate the chain of trust
The drill output is the following:
drill
RUN ['drill', '@localhost', '-k', '/etc/trusted-key.key', '-S', 'example.test.', 'SOA'] ;; Number of trusted keys: 1 ;; Chasing: example.test. SOA DNSSEC Trust tree: example.test. (SOA) |---example.test. (DNSKEY keytag: 26662 alg: 8 flags: 257) No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. Exit code: 29
Metadata Update from @frenaud: - Issue priority set to: important
Metadata Update from @frenaud: - Issue set to the milestone: DNSSEC
it is also failing on Fedora 34: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/c5011154-b289-11eb-bcce-fa163e67bee2/
Metadata Update from @slev: - Issue assigned to slev
I faced this issue during migration Azure F32->F34. I made debugging and there is a mix of issues.
Failed in [testing_master_latest]
PR #913
report
The first part of issue was triggered by GCC11(F34 switched to). The ldns code breaks strict aliasing and should be built with -fno-strict-aliasing. I hope upstream reacts, otherwise Fedora packaging bug should be open against ldns(I will open this week).
-fno-strict-aliasing
Upstream ticket: https://github.com/NLnetLabs/ldns/issues/131
Downstream ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1962010
@slev thanks for investigating. Adding the tracker label to display the dependency on another component.
Failure observed in [testing_ipa-4.9_latest] Nightly PR #905 , report
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Present in [testing_ipa-4.9_latest] Nightly PR #935 , report
Reopening as test_chain_of_trust_drill introduced in 26ee44b should be marked as xfail
test_chain_of_trust_drill
xfail
Metadata Update from @mpolovka: - Issue status updated to: Open (was: Closed)
ipa-4-8:
@mpolovka, it was decided to not bump the required version of ldns, but update the test image.
https://github.com/freeipa/freeipa/pull/5800
Login to comment on this ticket.