Back to bug 1296214

Who When What Removed Added
Petr Spacek 2016-01-07 08:18:59 UTC CC pspacek
Assignee ipa-maint pspacek
Martin Bašti 2016-01-07 13:37:13 UTC CC mbasti
Martin Bašti 2016-01-07 15:24:26 UTC Status NEW POST
Kaleem 2016-01-08 06:54:39 UTC CC ksiddiqu
Ellen Newlands 2016-01-11 20:55:12 UTC CC enewland
Jan Cholasta 2016-01-12 06:12:27 UTC Status POST MODIFIED
Fixed In Version ipa-4.2.0-16.el7
Assignee pspacek ipa-maint
Martin Kosek 2016-01-12 15:59:37 UTC Priority unspecified high
CC mkosek
Severity unspecified high
Eugene Keck 2016-01-12 16:10:15 UTC Priority high urgent
CC ekeck
Hardware Unspecified All
OS Unspecified Linux
Severity high urgent
Jan Kurik 2016-01-13 09:03:40 UTC Blocks 1298102
Jan Kurik 2016-01-13 09:04:15 UTC Keywords ZStream
Petr Spacek 2016-01-18 10:17:12 UTC Doc Text Cause:
ipa-ods-exporter utility and ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by OpenDNSSEC Enforcer daemon 14 days after particular key is not used anymore.

Consequence:
DNSSEC key synchronization stopped working after 14 days after key rotation. Considering the fact that Zone Signing Key (ZSK) is rotatech each 3 months, the problem typically arises 3 months + 14 days after DNSSEC enablement for first DNS zone.


Fix:
ipa-ods-exporter utility and ipa-dnskeysyncd daemon were fixed to properly handle key purging.

Result:
Key distribution continues to work after key purging event.
errata-xmlrpc 2016-05-20 05:57:47 UTC Status MODIFIED ON_QA
Pavel Picka 2016-08-17 19:05:16 UTC Status ON_QA VERIFIED
CC ppicka
Assignee ipa-maint ppicka
errata-xmlrpc 2016-11-02 15:12:51 UTC Status VERIFIED RELEASE_PENDING
errata-xmlrpc 2016-11-04 05:48:13 UTC Status RELEASE_PENDING CLOSED
Resolution --- ERRATA
Last Closed 2016-11-04 01:48:13 UTC

Back to bug 1296214