You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When DNSSEC is enabled for a zone, 2 keys are created in the opendnssec database: 1 KSK (key signing key) and one ZSK (zone signing key). A LDAP entry is created for each key, containing its metadata (key type, date of activation, date of publication etc...) but with RHEL 8.3 the key type is not properly mapped in the LDAP entry.
ipa-healthcheck could add a check ensuring that the LDAP entry is correct, or direct the admin to the KCS https://access.redhat.com/solutions/5806521 that explains how to fix the issue.
The check can be a WARNING as the bad mapping does not prevent the zone from being signed.
How to detect the issue:
find which DNS zones are configured for dnssec with api.Command.dnszone_find(idnssecinlinesigning=True)
for each zone, identify the ZSK in the content of the OpenDNSSEC database (note the CKA_ID from the 7th column):
Note: ods-enforcer refers to the zones without a trailing period. If the zone in IPA is secure.example.test., the ods-enforcer command needs to refer to secure.example.test
Check if there is a LDAP entry with idnsSecKeyRef: pkcs11:object=CKA_ID below cn=keys,idnsname=zone name,cn=dns,base dn
The LDAP entry must be named cn=ZSK-date-CKA_ID (not cn=KSK-date-CKA_ID), and must not contain idnsSecKeySep: TRUE. If that's not the case, raise a warning and refer to the KCS for a repair procedure.
When DNSSEC is enabled for a zone, 2 keys are created in the opendnssec database: 1 KSK (key signing key) and one ZSK (zone signing key). A LDAP entry is created for each key, containing its metadata (key type, date of activation, date of publication etc...) but with RHEL 8.3 the key type is not properly mapped in the LDAP entry.
ipa-healthcheck could add a check ensuring that the LDAP entry is correct, or direct the admin to the KCS https://access.redhat.com/solutions/5806521 that explains how to fix the issue.
The check can be a WARNING as the bad mapping does not prevent the zone from being signed.
How to detect the issue:
api.Command.dnszone_find(idnssecinlinesigning=True)
Note: ods-enforcer refers to the zones without a trailing period. If the zone in IPA is secure.example.test., the ods-enforcer command needs to refer to secure.example.test
idnsSecKeySep: TRUE
. If that's not the case, raise a warning and refer to the KCS for a repair procedure.Example of a wrong mapping:
The text was updated successfully, but these errors were encountered: