Bug 2117342

Summary: dnssec-keyfromlabel fails with fatal: failed to get key dnssec.test/RSASHA256: no engine
Product: [Fedora] Fedora Reporter: Florence Blanc-Renaud <frenaud>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: aegorenkov.91, anon.amish, awilliam, dns-sig, jjelen, mruprich, pemensik, vonsch, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: openqa
Fixed In Version: bind-9.18.6-3.fc38 bind-9.18.6-3.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-13 12:25:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2120605    

Description Florence Blanc-Renaud 2022-08-10 16:53:13 UTC 
Description of problem:
IPA DNSSEC functionality is broken with the update of bind to bind-9.18.5-1.fc37.x86_64

Version-Release number of selected component (if applicable):
bind-9.18.5-1.fc37.x86_64
freeipa-server-4.10.0-2.fc37.x86_64
openssl-pkcs11-0.4.12-2.fc37.x86_64

How reproducible:

Always

Steps to Reproduce:
1. install IPA server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarder -a Secret123 -p Secret123 -U
2. enable dnssec with ipa-dns-install --dnssec-master --forwarder 10.2.32.1 -U
3. create a signed zone with kinit admin; ipa dnszone-add dnssec.test. --dnssec true

Actual results:

The zone is not signed and the journal shows an error calling dnssec-keyfromlabel:
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipaserver.dnssec.bindmgr: INFO     Synchronizing zone dnssec.test.
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipaserver.dnssec.bindmgr: INFO     attrs: <ldap.cidict.cidict object at 0x7fd325ba05b0>
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: Traceback (most recent call last):
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module>
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib64/python3.11/site-packages/ldap/syncrepl.py", line 464, in syncrepl_poll
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.syncrepl_refreshdone()
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/keysyncer.py", line 128, in syncrepl_refreshdone
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.bindmgr.sync(self.dnssec_zones)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 232, in sync
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.sync_zone(zone)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 205, in sync_zone
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.install_key(zone, uuid, attrs, tempdir)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 146, in install_key
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     result = ipautil.run(cmd, capture_output=True)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipapython/ipautil.py", line 599, in run
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     raise CalledProcessError(
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/dnssec-keyfromlabel', '-E', 'pkcs11', '-K', '/var/named
/dyndb-ldap/ipa/master/dnssec.test/tmpnkn0f4z3', '-a', b'RSASHA256', '-l', b'pkcs11:object=b431ac83a5f465151f9a27136f72869b;pin-source=/var/lib/ipa/dnssec/softhsm_pin', '-P', b'20220810164550', 
'-A', b'20220810164550', '-I', 'none', '-D', 'none', '-f', 'KSK', '-E', 'pkcs11', 'dnssec.test.'] returned non-zero exit status 1: 'dnssec-keyfromlabel: fatal: failed to get key dnssec.test/RSAS
HA256: no engine\n')


Expected results:
The zone should be signed


See the investigations from https://bugzilla.redhat.com/show_bug.cgi?id=2115865
The error does not happen if bind is downgraded to 9.16.30-1
Comment 1 Jakub Jelen 2022-09-01 13:01:16 UTC 
My reading of the bind code is that they do not support engines with OpenSSL 3.0 and changed the code that it can not read pkcs11 engine keys with openssl API level >= 3:

https://github.com/isc-projects/bind9/commit/60535fc5f7ccee58c641a96fe52d9b15c192698b

https://github.com/isc-projects/bind9/blob/main/lib/dns/opensslecdsa_link.c#L1310

This probably did not surface before the bind was not rebuilt against the openssl 3.0 or rebased to a version containing the above commit

If we want to support engines with openssl 3.0 even though they are deprecated, it will require a change on the bind side.
Comment 2 Fedora Update System 2022-09-13 12:12:01 UTC 
FEDORA-2022-0fea8abd6e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0fea8abd6e
Comment 3 Fedora Update System 2022-09-13 12:25:13 UTC 
FEDORA-2022-0fea8abd6e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2022-09-13 13:49:08 UTC 
FEDORA-2022-cbcb55d5c7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbcb55d5c7
Comment 5 Fedora Update System 2022-09-14 01:52:24 UTC 
FEDORA-2022-cbcb55d5c7 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-cbcb55d5c7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbcb55d5c7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2022-09-18 00:17:26 UTC 
FEDORA-2022-cbcb55d5c7 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.