From inside infra, this works:
[root@openqa01 fedora][PROD-IAD2]# dig dl.fedoraproject.org +sigchase ... TECHNICAL INTERLUDE ... ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
but this doesn't:
[root@openqa01 fedora][PROD-IAD2]# dig dl.iad2.fedoraproject.org +sigchase ;; RRset to chase: dl.iad2.fedoraproject.org. 300 IN A 10.3.163.49 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.50 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.51 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.85 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.84 Launch a query to find a RRset of type RRSIG for zone: dl.iad2.fedoraproject.org. ;; RRSIG is missing for continue validation: FAILED
Can we fix that? #5807 was a similar issue in old infra which puiterwijk fixed, so I hope we can fix it in new infra too.
The issue is that .iad2.fedoraproject.org is not a DNSSEC zone. I did not set up the records as we were having a lot of other setup issues and never remembered. Thanks for opening this ticket and my apologies for forgetting.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: high-gain, medium-trouble, ops
Metadata Update from @smooge: - Issue assigned to smooge
[root@ns01 master][PROD-IAD2]# dig +dnssec bastion01.iad2.fedoraproject.org @ns02.iad2.fedoraproject.org. ; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> +dnssec bastion01.iad2.fedoraproject.org @ns02.iad2.fedoraproject.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36375 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 0f6fe38e3ceafdc428fc28ff5fa1e0e710fe0fb43913d063 (good) ;; QUESTION SECTION: ;bastion01.iad2.fedoraproject.org. IN A ;; ANSWER SECTION: bastion01.iad2.fedoraproject.org. 300 IN A 10.3.163.31 bastion01.iad2.fedoraproject.org. 300 IN RRSIG A 14 4 300 20201203213612 20201103213612 14737 iad2.fedoraproject.org. XzGItAyb2dMsmJG+YgWEYxg6vnFJTkTWn2z+N29REhuA4H5oezFEhUai Gfd/gGf8x6fNWXo5OTbCQltMjQrmVWFAzX20shN2WjhB59iKJf7z0D4p ToEWx8Y0xyEVVW3v ;; Query time: 0 msec ;; SERVER: 10.3.163.34#53(10.3.163.34) ;; WHEN: Tue Nov 03 22:59:51 GMT 2020 ;; MSG SIZE rcvd: 255 ;; RRset to chase: dl.iad2.fedoraproject.org. 300 IN A 10.3.163.84 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.50 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.85 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.49 dl.iad2.fedoraproject.org. 300 IN A 10.3.163.51 ;; RRSIG of the RRset to chase: dl.iad2.fedoraproject.org. 300 IN RRSIG A 14 4 300 20201203213612 20201103213612 14737 iad2.fedoraproject.org. Pj4azvbVxDNQP3cNJL7CBrpjNmExM7QSTVYIt7VJqGm3GfCeVbmhjC78 zL/eyAdIzQpsUr zd3u4h2hFsCj+ekI9/bAor72zbkr5Jqsns+Yx7pBwg RwGnr7i3shYz8E4l Launch a query to find a RRset of type DNSKEY for zone: iad2.fedoraproject.org. ;; DNSKEYset that signs the RRset to chase: iad2.fedoraproject.org. 300 IN DNSKEY 256 3 14 bnQVjF3MY96Qx01/9ai+Yctws6gezpgKNO3JTMmhkbn4nNnB9qeZBM5m V4eFSRg4CTIk6X3FkN2Gx5QsjnX0xk0xs7KTlJ5a3dW4iB77GEgU5zBi 9XR6uvh3lOlzqhab iad2.fedoraproject.org. 300 IN DNSKEY 257 3 14 0PBedsEk+ok07Of945OEgEXaILGzsFX7RCgj8a2eGpSICWLBhZ71GFaQ MNZkPBYLbnt3nTnzt9Q1ZmpF1jG+ZQjJ/kSX8rJPOMeiYxu7qzQyng5Q jnKc/eUss+vnt0pf ;; RRSIG of the DNSKEYset that signs the RRset to chase: iad2.fedoraproject.org. 300 IN RRSIG DNSKEY 14 3 300 20201203213612 20201103213612 14737 iad2.fedoraproject.org. anPLD01L42b2nT5+EXdeLqnzPk9IraD6hwBJZvEGb37SHi6ZdNHGXoRD /6s3Ka0Td /6SQZFzDf4xP89y6DijJfmnHKs6TMc9I1GW/shSzAmYxmEc dtNE3qC4BRzQT/uk iad2.fedoraproject.org. 300 IN RRSIG DNSKEY 14 3 300 20201203213612 20201103213612 45812 iad2.fedoraproject.org. BiDIMxisEf/+WMT+J0s7MkmMl0NMusK3/9Xiplgozlgv/IyVZ1XcISKy 5GWT8E+Ti 8AM0p0XBiofBwrAgMklJD32m2ptgXtJDT7gChd8isMxj0dz lIe5FSXYLtce+rWY Launch a query to find a RRset of type DS for zone: iad2.fedoraproject.org. ;; DSset of the DNSKEYset iad2.fedoraproject.org. 300 IN DS 45812 14 2 7E295F8CCB93B79BFD0B23C208ACEAD46D5EDA4BF43400ED9C627FD1 955735C6 iad2.fedoraproject.org. 300 IN DS 45812 14 1 12A608927DE1D2E04757F8A9B5E06E0DF2FBDB00 ;; RRSIG of the DSset of the DNSKEYset iad2.fedoraproject.org. 300 IN RRSIG DS 5 3 300 20201203213608 20201103213608 7725 fedoraproject.org. TWfGnH548tp6zr+0YOIKacBlJ4H71GZF6QCQ2hfE7NiiqNJokKKP7sHO EShiIVBZQH6YpNzX8uNm NLEzT4gXr04qcQS9unR8V1fMil1lRN1OiXEU zyUIqWQJpqh7M3xC3iZqBJ1nTvvBeZZ5Bnkga3+WZWArI8LHNvtRo7Fg aJc= ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for dl.iad2.fedoraproject.org. with DNSKEY:14737: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for iad2.fedoraproject.org. with DNSKEY:45812: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: fedoraproject.org. ;; DNSKEYset that signs the RRset to chase: fedoraproject.org. 300 IN DNSKEY 256 3 5 AwEAAcCWNQWl5pCI3iOOP2r8nStL60Zjb/2JQLQytamVap0L44z0YWft u7pu0hx3cnIM1ejQOsEwbg2/10IyC+38cYqJDXbSdFg1zGztOS5xNz7r 9hzSRK5N2jkycdJ/BoBy J4Y+XGpDqfG4I97++8sIzSrw60TmGAKTvM9v iL3ByeCN fedoraproject.org. 300 IN DNSKEY 257 3 5 AwEAAdTXJc0joiKGfTvLXi+LXxGpKvPvOoJEst9PR8TCCvXGVp7h3BY3 uXLkjckuT0aopCp2KF8zHgNgpMK03p1fd94pn9JZSuxfqvKsiYH2KvNO a/655oPj06jRhqAP5grX 01Iz4BH411ZhGxIQ1BzZtOr1wAazojMJzLUg ChRJs8GVt3LU0e6T8z1RQF33Dt9UMHIR5EAsFAqfZ/tsbfJDYktGoZi3 nFlW7A745+ObM1LNXOWq3FcYPVzhH08Q7/7WpxmzM6/ET8VeqWIsvh8E nZNDNMfJyPbY9B1BOIrFCpE03ALgFMejaBZwmeQ aX+D4Duup5xGOmdtC O4GSpM1YH6c=
Zone is now signed.
Metadata Update from @smooge: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
awesome, thanks. I'll check this fixes my freeipa issue tomorrow.
It's tomorrow, right? :)
Fix seems good, thanks!
Log in to comment on this ticket.