[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys
Guido Schmitz
g.schmitz at gtrs.de
Wed Aug 17 12:38:40 UTC 2016
>> Still, there is one problem:
>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
>> in LDAP (under attribute idnsSecAlgorithm in the entry
>> cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems
>> to ignore this attribute and assumes that it is always algorithm 8.
>
> Hmm, algorithm mismatch will cause DNSSEC validation to break horribly. The
> generated records will not match what is indicated in DS record of the parent
> zone...
>
> Please look into
> /var/named/dyndb-ldap/ipa/master/myzone.com/keys
> and inspect BIND key files (*.private). Cross-check values in files with
> values shown by OpenDNSSEC. All the values should match.
>
> If they do not match, we have a bug somewhere in the synchronization
> mechanism, which is possible.
The imported KSK does not exist in this directory (neither on the master
server nor on the replica). The keys created by IPA are present in this
directory.
Now, I also checked, if the imported KSK is used to sign the ZSK, but
there are no matching RRSIG records. (When I wrote earlier that BIND
uses the imported KSK, I only checked whether a DNSKEY record for this
KSK is present. The DNSKEY record is present, but with the wrong algorithm.)
More information about the Freeipa-users
mailing list