>> Still, there is one problem:
>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
>> in LDAP (under attribute idnsSecAlgorithm in the entry
>> cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems
>> to ignore this attribute and assumes that it is always algorithm 8.
> 
> Hmm, algorithm mismatch will cause DNSSEC validation to break horribly. The
> generated records will not match what is indicated in DS record of the parent
> zone...
> 
> Please look into
> /var/named/dyndb-ldap/ipa/master/myzone.com/keys
> and inspect BIND key files (*.private). Cross-check values in files with
> values shown by OpenDNSSEC. All the values should match.
> 
> If they do not match, we have a bug somewhere in the synchronization
> mechanism, which is possible.

The imported KSK does not exist in this directory (neither on the master
server nor on the replica). The keys created by IPA are present in this
directory.

Now, I also checked, if the imported KSK is used to sign the ZSK, but
there are no matching RRSIG records. (When I wrote earlier that BIND
uses the imported KSK, I only checked whether a DNSKEY record for this
KSK is present. The DNSKEY record is present, but with the wrong algorithm.)




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to