Bug 2026732

Summary: Missing bind-pkcs11-utils causing failures in OpenDNSSec in RHEL9 ; the fix affects RHEL8
Product: Red Hat Enterprise Linux 8 Reporter: François Cami <fcami>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: abokovoy, antorres, ftrivino, gkaihoro, ipa-qe, mpolovka, mrhodes, ndehadra, pemensik, rcritten, rjeffman, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.8-2.module+el8.6.0+13621+937b8cd9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2020205 Environment:
Last Closed: 2022-05-10 14:09:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2020205, 2020207    
Bug Blocks: 2020204    

Comment 1 François Cami 2021-11-25 16:48:55 UTC 
--- Additional comment from Petr Menšík on 2021-11-05 15:03:58 UTC ---

/usr/sbin/dnssec-keyfromlabel-pkcs11 should be replaced with /usr/sbin/dnssec-keyfromlabel -E pkcs11 call. bind-pkcs11-utils contains duplicate tools linked to native build. Since native pkcs11 build should not be required when named uses OpenSSL pkcs11 engine, it was disabled in RHEL9. Just dnssec-keyfromlabel from bind-dnssec-utils should provide the same functionality with -E pkcs11 parameter to choose pkcs11 engine from OpenSSL.

Summary of the change:
* RHEL8 => /usr/sbin/dnssec-keyfromlabel-pkcs11
* RHEL9 => /usr/sbin/dnssec-keyfromlabel -E pkcs11

--- Additional comment from François Cami on 2021-11-25 16:45:02 UTC ---

Fixed upstream
master:
https://pagure.io/freeipa/c/20f68d817de183f2fc2e25a6964fc1fdf431969c
Comment 2 François Cami 2021-11-25 16:49:44 UTC 
What's needed for RHEL8: carry the reverse of the patch listed in comment#1, so that RHEL8 continues to use /usr/sbin/dnssec-keyfromlabel-pkcs11.
Comment 3 François Cami 2021-11-25 16:50:24 UTC 
Setting to POST as the fix for the original bug is committed uptream AND what's needed here is the reverse of this change.
Comment 4 Antonio Torres 2021-11-25 17:40:03 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/f89d59b6e18b54967682f6a37ce92ae67ab3fcda
Comment 9 Michal Polovka 2022-01-17 12:46:36 UTC 
Verified using automation in test_integration/test_dnssec.py::TestInstallDNSSECLast::()::test_if_zone_is_signed_replica RHEL86 machine with ipa-server-4.9.8-2.module+el8.6.0+13621+937b8cd9.x86_64



============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.11.0, pluggy-1.0.0 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-359.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 14 items

test_integration/test_dnssec.py::TestInstallDNSSECLast::test_install_dnssec_master PASSED [  7%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_if_zone_is_signed_master PASSED [ 14%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_if_zone_is_signed_replica PASSED [ 21%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_key_types PASSED [ 28%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_disable_reenable_signing_master PASSED [ 35%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_disable_reenable_signing_replica PASSED [ 42%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_sign_root_zone PASSED [ 50%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_delegation PASSED [ 57%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust_drill FAILED [ 64%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust_delv SKIPPED [ 71%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_servers_use_localhost_as_dns PASSED [ 78%]
test_integration/test_dnssec.py::TestMigrateDNSSECMaster::test_migrate_dnssec_master PASSED [ 85%]
test_integration/test_dnssec.py::TestInstallNoDnssecValidation::test_install_withDnssecValidation PASSED [ 92%]
test_integration/test_dnssec.py::TestInstallNoDnssecValidation::test_install_noDnssecValidation PASSED [100%]

=================================== FAILURES ===================================
_______________ TestInstallDNSSECFirst.test_chain_of_trust_drill _______________
...irrelevant error caused by test env...


Therefore marking as verified. Automation exists.
Comment 14 errata-xmlrpc 2022-05-10 14:09:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884