[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys
Petr Spacek
pspacek at redhat.com
Thu Aug 18 10:12:18 UTC 2016
On 17.8.2016 19:58, Guido Schmitz wrote:
> After some debugging, I found the error:
>
> ==== cut =====
> ipa : DEBUG stderr=
> ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs: {'idnsseckeyref':
> ['pkcs11:object=a00001'], 'dn':
> 'cn=KSK-20140731111634Z-a00001,cn=keys,idnsname=myzone.com.,cn=dns,dc=int,dc=gtrs,dc=de',
> 'cn': ['KSK-20140731111634Z-a00001'], 'idnsseckeypublish':
> ['20140731111634Z'], 'objectclass': ['idnsSecKey'], 'idnsseckeysep':
> ['TRUE'], 'idnssecalgorithm': ['RSASHA1NSEC3SHA1'], 'idnsseckeyzone':
> ['TRUE'], 'idnsseckeycreated': ['20140731111634Z'],
> 'idnsseckeyactivate': ['20140731111634Z']}
> ipa : DEBUG Starting external process
> ipa : DEBUG args=/usr/sbin/dnssec-keyfromlabel-pkcs11 -K
> /var/named/dyndb-ldap/ipa/master/myzone.com/tmp5dI2FC -a
> RSASHA1NSEC3SHA1 -l
> pkcs11:object=a00001;pin-source=/var/lib/ipa/dnssec/softhsm_pin -I none
> -D none -P 20140731111634 -A 20140731111634 -f KSK myzone.com.
> ipa : DEBUG Process finished, return code=1
> ipa : DEBUG stdout=
> ipa : DEBUG stderr=dnssec-keyfromlabel: fatal: unknown
> algorithm RSASHA1NSEC3SHA1
>
> Traceback (most recent call last):
> File "/usr/libexec/ipa/ipa-dnskeysyncd", line 112, in <module>
> while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
> File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 409,
> in syncrepl_poll
> self.syncrepl_refreshdone()
> File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
> line 118, in syncrepl_refreshdone
> self.bindmgr.sync(self.dnssec_zones)
> File "/usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py",
> line 209, in sync
> self.sync_zone(zone)
> File "/usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py",
> line 182, in sync_zone
> self.install_key(zone, uuid, attrs, tempdir)
> File "/usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py",
> line 117, in install_key
> result = ipautil.run(cmd, capture_output=True)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
> 479, in run
> raise CalledProcessError(p.returncode, arg_string, str(output))
> subprocess.CalledProcessError: Command
> '/usr/sbin/dnssec-keyfromlabel-pkcs11 -K
> /var/named/dyndb-ldap/ipa/master/myzone.com/tmp5dI2FC -a
> RSASHA1NSEC3SHA1 -l
> pkcs11:object=a00001;pin-source=/var/lib/ipa/dnssec/softhsm_pin -I none
> -D none -P 20140731111634 -A 20140731111634 -f KSK myzone.com.' returned
> non-zero exit status 1
> ==== cut =====
>
> dnssec-keyfromlabel-pkcs11 expects NSEC3RSASHA1 for algorithm 7, but it
> gets RSASHA1NSEC3SHA1 instead (just the plain attribute value from LDAP).
>
> I've changed a few lines in
> /usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py in method
> install_key:
>
> ==== cut ====
> 108c108,112
> < cmd = [paths.DNSSEC_KEYFROMLABEL, '-K', workdir, '-a',
> attrs['idnsSecAlgorithm'][0], '-l', uri]
> ---
>> algo = attrs['idnsSecAlgorithm'][0]
>> if algo == 'RSASHA1NSEC3SHA1':
>> algo = 'NSEC3RSASHA1'
>> cmd = [paths.DNSSEC_KEYFROMLABEL, '-K', workdir, '-a', algo,
> '-l', uri]
> ==== cut ====
>
> Now, everything seems to work correctly: The DNSKEY records are
> published with the correct algorithms and the ZSK is signed by both KSKs
> (the imported one and the IPA generated one).
I'm glad it finally works!
For this particular problem I've created ticket
https://fedorahosted.org/freeipa/ticket/6229
so we can fix it independently on key import feature.
Thank you *very* much for your effort, it is very valuable experience and it
will help to improve FreeIPA!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list