Hide Forgot
Description of problem: IPA DNSSEC functionality is broken with the update of bind to bind-9.18.5-1.fc37.x86_64 Version-Release number of selected component (if applicable): bind-9.18.5-1.fc37.x86_64 freeipa-server-4.10.0-2.fc37.x86_64 openssl-pkcs11-0.4.12-2.fc37.x86_64 How reproducible: Always Steps to Reproduce: 1. install IPA server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarder -a Secret123 -p Secret123 -U 2. enable dnssec with ipa-dns-install --dnssec-master --forwarder 10.2.32.1 -U 3. create a signed zone with kinit admin; ipa dnszone-add dnssec.test. --dnssec true Actual results: The zone is not signed and the journal shows an error calling dnssec-keyfromlabel: Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipaserver.dnssec.bindmgr: INFO Synchronizing zone dnssec.test. Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipaserver.dnssec.bindmgr: INFO attrs: <ldap.cidict.cidict object at 0x7fd325ba05b0> Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: Traceback (most recent call last): Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/lib64/python3.11/site-packages/ldap/syncrepl.py", line 464, in syncrepl_poll Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: self.syncrepl_refreshdone() Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/keysyncer.py", line 128, in syncrepl_refreshdone Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: self.bindmgr.sync(self.dnssec_zones) Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 232, in sync Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: self.sync_zone(zone) Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 205, in sync_zone Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: self.install_key(zone, uuid, attrs, tempdir) Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 146, in install_key Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: result = ipautil.run(cmd, capture_output=True) Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: File "/usr/lib/python3.11/site-packages/ipapython/ipautil.py", line 599, in run Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: raise CalledProcessError( Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/dnssec-keyfromlabel', '-E', 'pkcs11', '-K', '/var/named /dyndb-ldap/ipa/master/dnssec.test/tmpnkn0f4z3', '-a', b'RSASHA256', '-l', b'pkcs11:object=b431ac83a5f465151f9a27136f72869b;pin-source=/var/lib/ipa/dnssec/softhsm_pin', '-P', b'20220810164550', '-A', b'20220810164550', '-I', 'none', '-D', 'none', '-f', 'KSK', '-E', 'pkcs11', 'dnssec.test.'] returned non-zero exit status 1: 'dnssec-keyfromlabel: fatal: failed to get key dnssec.test/RSAS HA256: no engine\n') Expected results: The zone should be signed See the investigations from https://bugzilla.redhat.com/show_bug.cgi?id=2115865 The error does not happen if bind is downgraded to 9.16.30-1
My reading of the bind code is that they do not support engines with OpenSSL 3.0 and changed the code that it can not read pkcs11 engine keys with openssl API level >= 3: https://github.com/isc-projects/bind9/commit/60535fc5f7ccee58c641a96fe52d9b15c192698b https://github.com/isc-projects/bind9/blob/main/lib/dns/opensslecdsa_link.c#L1310 This probably did not surface before the bind was not rebuilt against the openssl 3.0 or rebased to a version containing the above commit If we want to support engines with openssl 3.0 even though they are deprecated, it will require a change on the bind side.
FEDORA-2022-0fea8abd6e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0fea8abd6e
FEDORA-2022-0fea8abd6e has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-cbcb55d5c7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbcb55d5c7
FEDORA-2022-cbcb55d5c7 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-cbcb55d5c7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbcb55d5c7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-cbcb55d5c7 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.