-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix ods-ksmutil for 2.0.x #920
Conversation
Thank you for patch! LGTM. I put missing pieces in description to keep track on them. However, the upstream CI and gating heavily rely on Fedora, we cannot merge this patch without having the latest opendnssec package in Fedora. Postponing this until opendnssec will be available in Fedora or have any promising answer from Fedora opendnssec maintainer. |
It's no longer supported in 2.0.x. I'm not sure the exact effect of that. |
Could you please try to install 2 FreeIPA servers with DNSSEC, with dnssec signed zone ( |
I'm not getting dnssec responses from either of my hosts. They're upgrades from previous versions so I don't know how/if that changes anything either. Looks like I may have another, possibly related, bug to deal with. |
It seems for some reason I needed to run I see errors in the journal for ods-exporter:
|
There are some errors in |
That's excatly what I was afraid of.
Because key is probably not marked as extractable, SoftHSM doesn't allow to wrap that key and send it encrypted to other replicas. Source: https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-11r1.pdf Could you please run and provide output of following commands on a DNSSEC master server: https://www.freeipa.org/page/Troubleshooting#DNS_keys_are_stored_in_local_HSM_on_key_master_replica |
I didn't think about that being the reason somehow. That'll give me enough to work on to figure that out. |
|
Is this what we're looking for?
|
sorry, it looks that troubleshooting guide misses a few steps (those are in previous section) It should be
or you can just run: FreeIPA is using custom SoftHSM storage, so env variable SOFTHMS2_CONF must be set to FreeIPA's config. |
|
Sorry, it is regression caused by the latests fix :-( Fix bellow if __name__ == '__main__':
if 'SOFTHSM2_CONF' not in os.environ:
os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF
- localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+ localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, ipalib.constants.SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read()) |
HA! It works! I added an import and rebased to master–thinking that was already there. now on to that SQL error...
|
huh... It seems they no longer support the rsa key wrap mechanisms: https://wiki.opendnssec.org/display/SoftHSM/v2+Mechanisms |
Oh why ... I will check some things on wednesday and it looks I must file regression bugs against opendnssec and softhsm. |
It's entirely possible their documentation is not up to date. There are more in the headers. I haven't gone through the code yet, but I suspect there's new ones there. |
Another clue: https://stackoverflow.com/questions/12246498/what-does-cka-sensitive-attribute-in-pkcs-11-means#12314810 Unfortunately, I have to redo the DNSSEC entirely to test it. I have a staging env but it's a long test cycle for tweaks. |
Still getting the same |
I checked keys in Softhsm and currently we have keys extractable.
Compare |
daemons/dnssec/ipa-ods-exporter
Outdated
@@ -51,7 +51,8 @@ KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB | |||
ODS_SE_MAXLINE = 1024 # from ODS common/config.h | |||
ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock') | |||
|
|||
SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep' | |||
# SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep' | |||
SECRETKEY_WRAPPING_MECH = 'aesKeyWrapPad' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We cannot just change this, we are using RSA keys (public keys) to securely distribute secretkey
to all replicas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad. I thought I'd reverted that part. Might be part of why I'm still gettting 0x70.
I'll redo it and get a new dump. Apart from purging the package, how do I get rid of the keys (not just the tokens) from SoftHSM? |
I'm investigating, so far I found that patch which is responsible for
|
run ipa-dns-install again. It should drop all older tokens from HSM |
I still see It is probably just a doc issue |
@tduehr we (@tomaskrizek) asked on OpenDNSSEC mailing list for assistance https://lists.opendnssec.org/pipermail/opendnssec-user/2017-July/004086.html |
I found an old msg on that subject but it seems a bit off. http://opendnssec-user.opendnssec.narkive.com/RVxfYrbG/softhsmv2-key-extraction We'll also need some help porting the SQL used in IPA from 1.x to 2.x |
We're getting closer. I'm not getting export errors any more. Now I just have to fix the replicant and we'll have a full test...
|
@tduehr Thank you. Also I have a good message, the Until this fix is released, this should be patched downstream in ubuntu, fedora, etc.. |
It may not be necessary, let me get the fixes over to my replication host and see how they've worked so far. Though, I'm still not getting signatures from the primary. I also have the call to |
... And there's 0x70 ... |
Is this patch still relevant? If yes, please rebase to latest master and address failing CI. |
@tiran It is relevant to have working DNSSEC with opendnssec 2.0+, which is already in Debian. To avoid working with 2 different version in upstream, we filed a BZ for opendnssec rebase to 2.0+ in Fedora. There has been no activity in the BZ and this PR is thus blocked. |
Thanks @tomaskrizek . I have left a comment on https://bugzilla.redhat.com/show_bug.cgi?id=1470604 |
Paul is working on OpenDNSSEC 2.1. He started by upgrading the packages to latest 1.4. https://bugzilla.redhat.com/show_bug.cgi?id=1332354 |
It became ods-enforcer and its behavior changed.
Working on this again in ubuntu... rebased against master and now ods-enforcer is running. Just need to get ipa-ods-exporter fixed:
|
Closing due to inactivity. |
@tduehr Probably check flags mentioned in comment #920 (comment) again @rcritten I don't think that this PR should be closed due inactivity. I see comment from community member but no reply from developers. Also inactivity is in the openened DNSSEC BZ, because OpenDNSSEC introduced incompatible changes, you need newer OpenDNSSEC to have this code tested. Or does this mean that semi-broken DNS in ubuntu will be never fixed and newer opendnssec unsupported forever? Maybe dropping DNSSEC from FreeIPA might be a good solution too. |
@MartinBasti it can be re-opened if there is someone interested in pursuing it. I closed several due to inactivity (more than a month since last update) to clean up the PR backlog. |
@MartinBasti There seem to be two parts of this.
|
It became ods-enforcer and its behavior changed.
test_integration/test_dnssec
)