| Summary: | DNSSEC key purging is not handled properly | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> | ||||
| Component: | ipa | Assignee: | Pavel Picka <ppicka> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 7.3 | CC: | ekeck, enewland, ipa-maint, jcholast, ksiddiqu, mbasti, mkosek, ppicka, pspacek, pvoborni, rcritten | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.2.0-15.el7_2.4 | Doc Type: | Bug Fix | ||||
| Doc Text: |
The ipa-ods-exporter utility and the ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by the OpenDNSSEC Enforcer daemon 14 days after the particular key is no longer in use. Consequently, DNSSEC key synchronization stopped working 14 days after a key rotation. Because Zone Signing Key (ZSK) is rotated every 3 months, the problem typically occurred 3 months and 14 days after DNSSEC was enabled for the first DNS zone. With this update, ipa-ods-exporter and ipa-dnskeysyncd have been fixed to properly handle key purging, and key distribution now works as expected after a key purging event.
|
Story Points: | --- | ||||
| Clone Of: | 1296214 | Environment: | |||||
| Last Closed: | 2016-02-16 10:59:02 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | 1296214 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Kurik
2016-01-13 09:03:40 UTC
Created attachment 1119450 [details]
log
VERIFIED
ipa-server-4.2.0-15.el7_2.5.x86_64
rotation ok
The doc text looks okay. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0211.html |