Back to bug 1298102
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jan Cholasta | 2016-01-13 09:24:42 UTC | Status | NEW | MODIFIED |
| Fixed In Version | ipa-4.2.0-15.el7_2.4 | |||
| errata-xmlrpc | 2016-01-13 09:30:34 UTC | Status | MODIFIED | ON_QA |
| Jan Cholasta | 2016-01-18 06:22:11 UTC | CC | jcholast | |
| Flags | needinfo?(pspacek) | |||
| Petr Spacek | 2016-01-18 10:17:34 UTC | Doc Text | Cause: ipa-ods-exporter utility and ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by OpenDNSSEC Enforcer daemon 14 days after particular key is not used anymore. Consequence: DNSSEC key synchronization stopped working after 14 days after key rotation. Considering the fact that Zone Signing Key (ZSK) is rotatech each 3 months, the problem typically arises 3 months + 14 days after DNSSEC enablement for first DNS zone. Fix: ipa-ods-exporter utility and ipa-dnskeysyncd daemon were fixed to properly handle key purging. Result: Key distribution continues to work after key purging event. | |
| Flags | needinfo?(pspacek) | |||
| Pavel Picka | 2016-01-29 15:16:43 UTC | Status | ON_QA | VERIFIED |
| CC | ppicka | |||
| Assignee | ipa-maint | ppicka | ||
| Lenka Špačková | 2016-02-08 16:37:02 UTC | Doc Text | Cause: ipa-ods-exporter utility and ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by OpenDNSSEC Enforcer daemon 14 days after particular key is not used anymore. Consequence: DNSSEC key synchronization stopped working after 14 days after key rotation. Considering the fact that Zone Signing Key (ZSK) is rotatech each 3 months, the problem typically arises 3 months + 14 days after DNSSEC enablement for first DNS zone. Fix: ipa-ods-exporter utility and ipa-dnskeysyncd daemon were fixed to properly handle key purging. Result: Key distribution continues to work after key purging event. | The ipa-ods-exporter utility and the ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by the OpenDNSSEC Enforcer daemon 14 days after the particular key is no longer in use. Consequently, DNSSEC key synchronization stopped working 14 days after a key rotation. Because Zone Signing Key (ZSK) is rotated every 3 months, the problem typically occurred 3 months and 14 days after DNSSEC was enabled for the first DNS zone. With this update, ipa-ods-exporter and ipa-dnskeysyncd have been fixed to properly handle key purging, and key distribution now works as expected after a key purging event. |
| errata-xmlrpc | 2016-02-16 00:24:18 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-02-16 10:59:02 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-02-16 05:59:02 UTC |
Back to bug 1298102