Bug 1298102

Summary: DNSSEC key purging is not handled properly
Product: Red Hat Enterprise Linux 7 Reporter: Jan Kurik <jkurik>
Component: ipaAssignee: Pavel Picka <ppicka>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.3CC: ekeck, enewland, ipa-maint, jcholast, ksiddiqu, mbasti, mkosek, ppicka, pspacek, pvoborni, rcritten
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-15.el7_2.4 Doc Type: Bug Fix
Doc Text:
The ipa-ods-exporter utility and the ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by the OpenDNSSEC Enforcer daemon 14 days after the particular key is no longer in use. Consequently, DNSSEC key synchronization stopped working 14 days after a key rotation. Because Zone Signing Key (ZSK) is rotated every 3 months, the problem typically occurred 3 months and 14 days after DNSSEC was enabled for the first DNS zone. With this update, ipa-ods-exporter and ipa-dnskeysyncd have been fixed to properly handle key purging, and key distribution now works as expected after a key purging event.
 Story Points: ---
Clone Of: 1296214 Environment:
Last Closed: 2016-02-16 10:59:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1296214    
Bug Blocks:    
Attachments:
Description Flags
log none

Description Jan Kurik 2016-01-13 09:03:40 UTC 
This bug has been copied from bug #1296214 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Pavel Picka 2016-01-29 15:16:43 UTC 
Created attachment 1119450 [details]
log

VERIFIED

ipa-server-4.2.0-15.el7_2.5.x86_64

rotation ok
Comment 6 Petr Spacek 2016-02-08 12:46:16 UTC 
The doc text looks okay.
Comment 8 errata-xmlrpc 2016-02-16 10:59:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0211.html