Re: F33 upgrade: dnssec-trigger and Strong Crypto Settings, phase 2

2020-10-07 Thread Paul Wouters 

On Wed, 7 Oct 2020, Dominik 'Rathann' Mierzejewski wrote:


Today, I upgraded one of my machines to F33. Upon first F33 boot I
noticed that the dnssec-triggerd service failed to start. It turns out I
had very old dnssec-trigger keys and certificates ("only" 1536-bit RSA)
generated back in 2014 which no longer passed as acceptable per the
default crypto policy change [1], which requires at least 2048-bit keys.
The work-around is to move away or delete the existing keys and
certificates in /etc/dnssec-trigger and let
dnssec-triggerd-keygen.service generate new ones. After that, the
dnssec-triggerd.service starts successfully. I filed a bug[2] against
dnssec-trigger.


Can dnssec-trigger not work now via a unix domain socket instead of TLS
for its command channel? I know NLnetlabs added that for its other
servers like unbound and nsd that only supported TLS before.

The man page suggests it does not support this yet, but I'm pretty
sure upsteam would accept a patch.

Paul
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

F33 upgrade: dnssec-trigger and Strong Crypto Settings, phase 2

2020-10-07 Thread Dominik 'Rathann' Mierzejewski 
Today, I upgraded one of my machines to F33. Upon first F33 boot I
noticed that the dnssec-triggerd service failed to start. It turns out I
had very old dnssec-trigger keys and certificates ("only" 1536-bit RSA)
generated back in 2014 which no longer passed as acceptable per the
default crypto policy change [1], which requires at least 2048-bit keys.
The work-around is to move away or delete the existing keys and
certificates in /etc/dnssec-trigger and let
dnssec-triggerd-keygen.service generate new ones. After that, the
dnssec-triggerd.service starts successfully. I filed a bug[2] against
dnssec-trigger.

[1] https://www.fedoraproject.org/wiki/Changes/StrongCryptoSettings2
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1886172

Regards,
Dominik
-- 
Fedora   https://getfedora.org  |  RPM Fusion  http://rpmfusion.org
There should be a science of discontent. People need hard times and
oppression to develop psychic muscles.
-- from "Collected Sayings of Muad'Dib" by the Princess Irulan
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org