On 29.2.2016 11:54, Peter Fern wrote: > On 02/29/2016 21:22, Petr Spacek wrote: >> On 28.2.2016 14:51, Peter Fern wrote: >>> Hi all, >>> A new KSK has been auto-generated, and it's transitioned through >>> 'published' and is now sitting in the 'ready' state, but does not appear >>> as a DNSKEY record on the zone. I can see that ods-enforcerd has picked >>> up the state change correctly and logged a DSChanged event with the >>> correct output for the new DNSKEY record, and it appears as expected in >>> localhsm, but is not published on the zone. >>> >>> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with >>> the rollover? >> Hi, >> >> I would recommend you to wait until fix >> https://fedorahosted.org/freeipa/ticket/5334 >> is released in 4.3.1 or so. >> >> After that you can use procedure described on page >> http://www.freeipa.org/page/Howto/DNSSEC >> to run ds-seen command. >> >> I hope this helps. > > That ticket was reported by me ;-) > > The issue here is that the new KSK did not appear as a DNSKEY record, so > running ds-seen would have been a bad idea, since the zone would be > entirely invalid if the old key was rotated out before the new key was > published, and the new DS record would be invalid without the > corresponding KSK anyway.
This should be fixed in 4.3.1 too. > I did also have some more rotated keys get stuck per #5334, and had > cleared them prior to this issue, but I was having trouble getting the > zone resigned correctly, and I was hoping to roll all the keys to deal > with that. In the end, I had to un-sign the domain and re-sign it to > recover. > > I was wondering if there were possibly some known issues/tricks with KSK > rollover, but wasn't certain if my #5334 issues may have thrown a > spanner in the works at some key point in the lifecycle. I've got some > more KSKs due to roll in a couple of months, so hopefully I can get > 4.3.1 deployed before then, and I'll be able to see if the process goes > smoothly without the extraneous issues. > > I've also discovered the replication ACI issues in 4.3.0 (#5575 and > friends), which are causing me some grief. Is there a feel for how > close we are to a 4.3.1 release? We intent to release it in week or two (if everything goes as planned). Stay tuned. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
