Re: [Freeipa-users] Is this a bigger Problem DNSSEC ?

[Petr Spacek]

On 25.10.2016 15:49, Günther J. Niederwimmer wrote:
> Hello,
> 
> FreeIPA 4.3.1
> CentOS 7.2
> 
> 
> I found today in /var/log/messages this entries 
> 
> Is the DNSSEC now broken ?
> 
> Thanks for a answer
> 
> ct 25 15:41:29 ipa ipa-dnskeysyncd: Traceback (most recent call last):
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", 
> line 112, in <module>
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: while 
> ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-
> packages/ldap/syncrepl.py", line 405, in syncrepl_poll
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.syncrepl_refreshdone()
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site-
> packages/ipapython/dnssec/keysyncer.py", line 118, in syncrepl_refreshdone
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.bindmgr.sync(self.dnssec_zones)
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site-
> packages/ipapython/dnssec/bindmgr.py", line 209, in sync
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.sync_zone(zone)
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site-
> packages/ipapython/dnssec/bindmgr.py", line 182, in sync_zone
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.install_key(zone, uuid, attrs, 
> tempdir)
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site-
> packages/ipapython/dnssec/bindmgr.py", line 117, in install_key
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: result = ipautil.run(cmd, 
> capture_output=True)
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site-
> packages/ipapython/ipautil.py", line 479, in run
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: raise CalledProcessError(p.returncode, 
> arg_string, str(output))
> Oct 25 15:41:29 ipa ipa-dnskeysyncd: subprocess.CalledProcessError: Command 
> '/usr/sbin/dnssec-keyfromlabel-pkcs11 -K /var/named/dyndb-
> ldap/ipa/master/4gjn.com/tmppaO_R2 -a RSASHA256 -l 
> pkcs11:object=d7fe5c98d5f3f89aefb9e8dfb92ebcb1;pin-
> source=/var/lib/ipa/dnssec/softhsm_pin -I 20160811091542 -D 20160825225503 -P 
> 20160513081600 -A 20160513081600 4gjn.com.' returned non-zero exit status 1
> Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service: main process exited, 
> code=exited, status=1/FAILURE
> Oct 25 15:41:30 ipa systemd: Unit ipa-dnskeysyncd.service entered failed 
> state.
> Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service failed.

It might break in future, when keys are rotated.

Please follow
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work

This debugging option might get handy, too:
http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project