1912556 – Incorrect DNSKEY created when DNSSEC enabled for zone

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1912556 - Incorrect DNSKEY created when DNSSEC enabled for zone

Summary: Incorrect DNSKEY created when DNSSEC enabled for zone

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-04 18:33 UTC by Tomasz Kepczynski
Modified:	2021-11-09 23:04 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.9.3-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 18:21:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7268	None	None	None	2021-11-09 18:26:56 UTC
Red Hat Knowledge Base (Solution)	5806521	None	None	None	2021-02-16 14:16:23 UTC
Red Hat Product Errata	RHBA-2021:4230	None	None	None	2021-11-09 18:22:11 UTC

Description Tomasz Kepczynski 2021-01-04 18:33:15 UTC

Description of problem:
When DNSSEC is enabled for the zone two DNSKEYs should be created for the zone: one KSK key (for trust chain connection from upper level zone) and one ZSK key for record signing.
Currently two KSK DNSKEYs are created.

Version-Release number of selected component (if applicable):
ipa-selinux-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-dns-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-client-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-server-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-server-trust-ad-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-client-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch

How reproducible:
Probably always. Visible in 5 different zones (not yet exposed on the Internet).

Steps to Reproduce:
1. Create zone as usual.
2. Enable DNSSEC: ipa dnszone-mod <zonename> --dnssec=true
3. Enable NSEC3:  ipa dnszone-mod <zonename> --nsec3param-rec="1 1 10 $(xxd -ps -l8 -u /dev/urandom)"

Actual results:
2 KSKs attached to the zone.

Expected results:
1 KSK and 1 ZSK attached to the zone.

Additional info:
Key listing from opendnssec:
filippa:~# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-enforcer key list -v -z <xxx>.eu
Keys:
Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
<xxx>.eu                        KSK      publish   2021-01-05 08:43:35      3072  8          820cd89ce8c3bc9d191e6f1afc664fe4 SoftHSM     36710
<xxx>.eu                        ZSK      ready     2021-01-05 08:43:35      2048  8          250d09a4724d46676e4b7fe0b77eb9ba SoftHSM     24045

Please note keytypes in the listing above: 1 KSK & 1 ZSK.

dig output:
filippa:~# dig <xxx>.eu dnskey +short +rrcomments
257 3 8 AwEAAbv1+PERvOibE315J7G0z6X9G/gXzCYQjO53E1jawFy+Jskg/aQ8 A5o5cWlR8ip5z4TLH1qwRUznvbZAWUNi26EqSCLL/oEYLfl8ibexRWip 5i12D1lxPtl4j6rYDUMeLmu7Nmt6uMRyG8FmzwKKmNLG76U4EJTjGgO+ 7xdDzU9U6pppwxJD3RCeuYFHn78pxsNwnEOYo5ICOCXCHuTZw6YWq1oH JY+nuzBhtFlU82T4p2MoqvNlfRjd+85yIgJVImvXpyMLWBTVcgpv1goY nb3wF3LMlWJU8wZVLTXuJjQrXWyfnrATzGe7lKmMRNxhtvGoEXAmRjFP 4auS74Oh1SE=  ; KSK; alg = RSASHA256 ; key id = 24046
257 3 8 AwEAAcCeLyVFPsCDR2b8q1cB4O+qPzroVdyN56/SseHPFwHsEXwHqbOD HKWKl8inUc2fDK0rboPP0CrMxxTDWC+JDY4CCqGZcYO8YeIR04BRb9A9 IiCvtWvxBo8qNhLvDGFhFaUHVWIsJfBl+PtkgmbbwGZ6k7JuO1vnxCVc sP9ZvLfFqdj6CeIGhCmISKTZ/iNYIX4hZ1o7NrYhD+o6d+f3v69Q8Q9F 8aTUeG5KwDPlYQMMyI6SxKaSO1lR/8DrCAdn7KOMW6hZmB9b+l5t4RrW /eJ76DlISHGpxZTUkXGRDKah6yGpDK0CyQRa8uUPsQ6WJ3V/xyWF0SJ1 0HRPk3OwgqUm6iSukOdBIgIb6Gfrtxpsi6VkLiq2QDGOFou6RD7F5ddU tvlao+AWrnQ75HqyHvvzjtYHEXTsBCXb+9oWEDi0jfaFlKVeO+xmKKd5 6NuzBAwzSRsgtucxAqjB+IB6Yt8DEW+jaH7J10NUkeMiQEFD/hW26Gsg DdaZIZaLTI2Ihw==  ; KSK; alg = RSASHA256 ; key id = 36710

Please note BOTH keys are marked as KSK (both in comments and by keyflags in the first field: 257).

Comment 1 Florence Blanc-Renaud 2021-01-07 07:13:33 UTC

This is a valid issue, reproducer provider in the summary.
Present since the migration to OpenDNSSEC 2.1.

Comment 2 Florence Blanc-Renaud 2021-01-07 07:19:05 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8647

Comment 4 Florence Blanc-Renaud 2021-02-04 13:23:29 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/cdfc86364ee2eed2aafda2e8b3a484a7a264677e
https://pagure.io/freeipa/c/7902c784963c64b2d0fba8e7fa03529e793c221c
https://pagure.io/freeipa/c/ca17a81a30cc83568008bad9031db3b8c6b90f2f

Test case added upstream in ipatests/test_integration/test_dnssec.py::TestInstallDNSSECLast::test_key_types

Comment 5 Florence Blanc-Renaud 2021-02-05 08:07:50 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/44762369fb05b67855a8dc81d647c8880d642902
https://pagure.io/freeipa/c/dd21d068cb4500b0d8a8af14b0371f95cc40c974
https://pagure.io/freeipa/c/2a51892ab9688b6bc5282098a426003932462549

Comment 10 Michal Polovka 2021-06-11 09:35:35 UTC

Verified using automated test ipatests/test_integration/test_dnssec.py::TestInstallDNSSECLast

Verified version: 4.9.3-1.module+el8.5.0+10565+ae980a94

Test output:
Passed 	test_integration/test_dnssec.py::TestInstallDNSSECLast::()::test_key_types

Marking as verified.

Comment 11 Rob Crittenden 2021-06-20 05:17:16 UTC

*** Bug 1973951 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2021-11-09 18:21:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230

Note You need to log in before you can comment on or make changes to this bug.