On 17.8.2016 14:38, Guido Schmitz wrote: >>> Still, there is one problem: >>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses >>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7 >>> in LDAP (under attribute idnsSecAlgorithm in the entry >>> cn=KSK-timestamp-id,cn=keys,idnsname=myzone.com,cn=dns), but BIND seems >>> to ignore this attribute and assumes that it is always algorithm 8. >> >> Hmm, algorithm mismatch will cause DNSSEC validation to break horribly. The >> generated records will not match what is indicated in DS record of the parent >> zone... >> >> Please look into >> /var/named/dyndb-ldap/ipa/master/myzone.com/keys >> and inspect BIND key files (*.private). Cross-check values in files with >> values shown by OpenDNSSEC. All the values should match. >> >> If they do not match, we have a bug somewhere in the synchronization >> mechanism, which is possible. > > The imported KSK does not exist in this directory (neither on the master > server nor on the replica). The keys created by IPA are present in this > directory. > > Now, I also checked, if the imported KSK is used to sign the ZSK, but > there are no matching RRSIG records. (When I wrote earlier that BIND > uses the imported KSK, I only checked whether a DNSKEY record for this > KSK is present. The DNSKEY record is present, but with the wrong algorithm.)
Okay, so we need to go back to see where the problem is. Part A - key material: 0. I assume that you double-checked key attributes in OpenDNSSEC. 1. ipa-ods-exporter service on IPA DNSSEC key master server should not report any errors when exporting keys (triggered by ods-signer ipa-full-update) 2. Output of these two commands should match: all IPA DNS servers$ \ python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py any IPA DNS server$ \ python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/ldapkeydb.py This verifies that key material was replicated correctly. Part B - key metadata: These are read by ipa-dnskeysyncd daemon from LDAP and stored in BIND key files. Please check logs of ipa-dnskeysyncd service and watch out for errors. debug=True in /etc/default.conf will tell you more if needed. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project