Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2117342 - dnssec-keyfromlabel fails with fatal: failed to get key dnssec.test/RSASHA256: no engine
Summary: dnssec-keyfromlabel fails with fatal: failed to get key dnssec.test/RSASHA256...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 37
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks: 2120605
TreeView+ depends on / blocked
 
Reported: 2022-08-10 16:53 UTC by Florence Blanc-Renaud
Modified: 2022-09-18 00:17 UTC (History)
9 users (show)

Fixed In Version: bind-9.18.6-3.fc38 bind-9.18.6-3.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-13 12:25:13 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Florence Blanc-Renaud 2022-08-10 16:53:13 UTC
Description of problem:
IPA DNSSEC functionality is broken with the update of bind to bind-9.18.5-1.fc37.x86_64

Version-Release number of selected component (if applicable):
bind-9.18.5-1.fc37.x86_64
freeipa-server-4.10.0-2.fc37.x86_64
openssl-pkcs11-0.4.12-2.fc37.x86_64

How reproducible:

Always

Steps to Reproduce:
1. install IPA server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarder -a Secret123 -p Secret123 -U
2. enable dnssec with ipa-dns-install --dnssec-master --forwarder 10.2.32.1 -U
3. create a signed zone with kinit admin; ipa dnszone-add dnssec.test. --dnssec true

Actual results:

The zone is not signed and the journal shows an error calling dnssec-keyfromlabel:
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipaserver.dnssec.bindmgr: INFO     Synchronizing zone dnssec.test.
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipaserver.dnssec.bindmgr: INFO     attrs: <ldap.cidict.cidict object at 0x7fd325ba05b0>
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: Traceback (most recent call last):
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module>
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib64/python3.11/site-packages/ldap/syncrepl.py", line 464, in syncrepl_poll
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.syncrepl_refreshdone()
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/keysyncer.py", line 128, in syncrepl_refreshdone
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.bindmgr.sync(self.dnssec_zones)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 232, in sync
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.sync_zone(zone)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 205, in sync_zone
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     self.install_key(zone, uuid, attrs, tempdir)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipaserver/dnssec/bindmgr.py", line 146, in install_key
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     result = ipautil.run(cmd, capture_output=True)
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:   File "/usr/lib/python3.11/site-packages/ipapython/ipautil.py", line 599, in run
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]:     raise CalledProcessError(
Aug 10 16:50:07 replica1.testrelm.test ipa-dnskeysyncd[17871]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/dnssec-keyfromlabel', '-E', 'pkcs11', '-K', '/var/named
/dyndb-ldap/ipa/master/dnssec.test/tmpnkn0f4z3', '-a', b'RSASHA256', '-l', b'pkcs11:object=b431ac83a5f465151f9a27136f72869b;pin-source=/var/lib/ipa/dnssec/softhsm_pin', '-P', b'20220810164550', 
'-A', b'20220810164550', '-I', 'none', '-D', 'none', '-f', 'KSK', '-E', 'pkcs11', 'dnssec.test.'] returned non-zero exit status 1: 'dnssec-keyfromlabel: fatal: failed to get key dnssec.test/RSAS
HA256: no engine\n')


Expected results:
The zone should be signed


See the investigations from https://bugzilla.redhat.com/show_bug.cgi?id=2115865
The error does not happen if bind is downgraded to 9.16.30-1

Comment 1 Jakub Jelen 2022-09-01 13:01:16 UTC
My reading of the bind code is that they do not support engines with OpenSSL 3.0 and changed the code that it can not read pkcs11 engine keys with openssl API level >= 3:

https://github.com/isc-projects/bind9/commit/60535fc5f7ccee58c641a96fe52d9b15c192698b

https://github.com/isc-projects/bind9/blob/main/lib/dns/opensslecdsa_link.c#L1310

This probably did not surface before the bind was not rebuilt against the openssl 3.0 or rebased to a version containing the above commit

If we want to support engines with openssl 3.0 even though they are deprecated, it will require a change on the bind side.

Comment 2 Fedora Update System 2022-09-13 12:12:01 UTC
FEDORA-2022-0fea8abd6e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0fea8abd6e

Comment 3 Fedora Update System 2022-09-13 12:25:13 UTC
FEDORA-2022-0fea8abd6e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2022-09-13 13:49:08 UTC
FEDORA-2022-cbcb55d5c7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbcb55d5c7

Comment 5 Fedora Update System 2022-09-14 01:52:24 UTC
FEDORA-2022-cbcb55d5c7 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-cbcb55d5c7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-cbcb55d5c7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-09-18 00:17:26 UTC
FEDORA-2022-cbcb55d5c7 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.