Bug 1298102 - DNSSEC key purging is not handled properly
DNSSEC key purging is not handled properly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Pavel Picka
Namita Soman
: ZStream
Depends On: 1296214
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-13 04:03 EST by Jan Kurik
Modified: 2016-02-16 05:59 EST (History)
11 users (show)

See Also:
Fixed In Version: ipa-4.2.0-15.el7_2.4
Doc Type: Bug Fix
Doc Text:
The ipa-ods-exporter utility and the ipa-dnskeysyncd daemon did not properly handle DNSSEC key purging, which is automatically done by the OpenDNSSEC Enforcer daemon 14 days after the particular key is no longer in use. Consequently, DNSSEC key synchronization stopped working 14 days after a key rotation. Because Zone Signing Key (ZSK) is rotated every 3 months, the problem typically occurred 3 months and 14 days after DNSSEC was enabled for the first DNS zone. With this update, ipa-ods-exporter and ipa-dnskeysyncd have been fixed to properly handle key purging, and key distribution now works as expected after a key purging event.
Story Points: ---
Clone Of: 1296214
Environment:
Last Closed: 2016-02-16 05:59:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
log (32.86 KB, text/plain)
2016-01-29 10:16 EST, Pavel Picka
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0211 normal SHIPPED_LIVE ipa bug fix update 2016-02-16 10:57:02 EST

  None (edit)
Description Jan Kurik 2016-01-13 04:03:40 EST
This bug has been copied from bug #1296214 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Pavel Picka 2016-01-29 10:16 EST
Created attachment 1119450 [details]
log

VERIFIED

ipa-server-4.2.0-15.el7_2.5.x86_64

rotation ok
Comment 6 Petr Spacek 2016-02-08 07:46:16 EST
The doc text looks okay.
Comment 8 errata-xmlrpc 2016-02-16 05:59:02 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0211.html

Note You need to log in before you can comment on or make changes to this bug.