This BZ is a tracker for dnssec-related issues on fedora 37. Currently we are seeing 2 different types of failures: - on an IPA server with dnssec-validation enabled, openQA detects a failure enrolling freeipa client because of DNS issues (the DNS resolution fails for kojipkgs.fedoraproject.org) - on an IPA server with DNSSEC enabled, enabling zone signing for a given zone does not create the DNSKEY records and the zone is not signed. Relevant BZ: #2117859 - FreeIPA client enrolment fails due to DNS issues with openssl-pkcs11-0.4.12-2.fc37 on server #2117342 - dnssec-keyfromlabel fails with fatal: failed to get key dnssec.test/RSASHA256: no engine #2115865 - dnssec-keyfromlabel fails with openssl-pkcs11-0.4.12-1.fc36 When the above BZs are fixed, freeipa will need to bump its "Requires:" for bind and openssl-pkcs11 packages.
FreeIPA spec file has bumped the required bump version: master: dface55 Spec file: bump bind version on f37+ ipa-4-10: 1dfb5d5 Spec file: bump bind version on f37+
The 3 bugs tracked by this BZ have been closed as fixed, hence I'm also closing this one.