Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionTomasz Kepczynski
2021-01-04 18:33:15 UTC
Description of problem:
When DNSSEC is enabled for the zone two DNSKEYs should be created for the zone: one KSK key (for trust chain connection from upper level zone) and one ZSK key for record signing.
Currently two KSK DNSKEYs are created.
Version-Release number of selected component (if applicable):
ipa-selinux-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-dns-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-client-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-server-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-server-trust-ad-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-client-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
How reproducible:
Probably always. Visible in 5 different zones (not yet exposed on the Internet).
Steps to Reproduce:
1. Create zone as usual.
2. Enable DNSSEC: ipa dnszone-mod <zonename> --dnssec=true
3. Enable NSEC3: ipa dnszone-mod <zonename> --nsec3param-rec="1 1 10 $(xxd -ps -l8 -u /dev/urandom)"
Actual results:
2 KSKs attached to the zone.
Expected results:
1 KSK and 1 ZSK attached to the zone.
Additional info:
Key listing from opendnssec:
filippa:~# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-enforcer key list -v -z <xxx>.eu
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
<xxx>.eu KSK publish 2021-01-05 08:43:35 3072 8 820cd89ce8c3bc9d191e6f1afc664fe4 SoftHSM 36710
<xxx>.eu ZSK ready 2021-01-05 08:43:35 2048 8 250d09a4724d46676e4b7fe0b77eb9ba SoftHSM 24045
Please note keytypes in the listing above: 1 KSK & 1 ZSK.
dig output:
filippa:~# dig <xxx>.eu dnskey +short +rrcomments
257 3 8 AwEAAbv1+PERvOibE315J7G0z6X9G/gXzCYQjO53E1jawFy+Jskg/aQ8 A5o5cWlR8ip5z4TLH1qwRUznvbZAWUNi26EqSCLL/oEYLfl8ibexRWip 5i12D1lxPtl4j6rYDUMeLmu7Nmt6uMRyG8FmzwKKmNLG76U4EJTjGgO+ 7xdDzU9U6pppwxJD3RCeuYFHn78pxsNwnEOYo5ICOCXCHuTZw6YWq1oH JY+nuzBhtFlU82T4p2MoqvNlfRjd+85yIgJVImvXpyMLWBTVcgpv1goY nb3wF3LMlWJU8wZVLTXuJjQrXWyfnrATzGe7lKmMRNxhtvGoEXAmRjFP 4auS74Oh1SE= ; KSK; alg = RSASHA256 ; key id = 24046
257 3 8 AwEAAcCeLyVFPsCDR2b8q1cB4O+qPzroVdyN56/SseHPFwHsEXwHqbOD HKWKl8inUc2fDK0rboPP0CrMxxTDWC+JDY4CCqGZcYO8YeIR04BRb9A9 IiCvtWvxBo8qNhLvDGFhFaUHVWIsJfBl+PtkgmbbwGZ6k7JuO1vnxCVc sP9ZvLfFqdj6CeIGhCmISKTZ/iNYIX4hZ1o7NrYhD+o6d+f3v69Q8Q9F 8aTUeG5KwDPlYQMMyI6SxKaSO1lR/8DrCAdn7KOMW6hZmB9b+l5t4RrW /eJ76DlISHGpxZTUkXGRDKah6yGpDK0CyQRa8uUPsQ6WJ3V/xyWF0SJ1 0HRPk3OwgqUm6iSukOdBIgIb6Gfrtxpsi6VkLiq2QDGOFou6RD7F5ddU tvlao+AWrnQ75HqyHvvzjtYHEXTsBCXb+9oWEDi0jfaFlKVeO+xmKKd5 6NuzBAwzSRsgtucxAqjB+IB6Yt8DEW+jaH7J10NUkeMiQEFD/hW26Gsg DdaZIZaLTI2Ihw== ; KSK; alg = RSASHA256 ; key id = 36710
Please note BOTH keys are marked as KSK (both in comments and by keyflags in the first field: 257).
Comment 1Florence Blanc-Renaud
2021-01-07 07:13:33 UTC
This is a valid issue, reproducer provider in the summary.
Present since the migration to OpenDNSSEC 2.1.
Comment 2Florence Blanc-Renaud
2021-01-07 07:19:05 UTC
Verified using automated test ipatests/test_integration/test_dnssec.py::TestInstallDNSSECLast
Verified version: 4.9.3-1.module+el8.5.0+10565+ae980a94
Test output:
Passed test_integration/test_dnssec.py::TestInstallDNSSECLast::()::test_key_types
Marking as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:4230