[Opendnssec-user] Showstopper bug pull requests
Mikko Rantanen
ods-dog at hole.fi
Tue Dec 19 15:24:47 UTC 2023
Good day,
TLDR; upgrading from 1.4 to 2.1 on RPM-based distros - you need this.
I'm involved in managing DNSSEC for .sa and xn--mgberp4a5d4ar. We used to
use .rpm based distros and MariaDB/MySQL backend running with OpenDNSSEC
(later 'ODS') 1.4, naturally self-compiled because only SQLite-backend
based packages were available.
Additionally, our key material is generated using a 'proper' key ceremony,
fed into an HSM, and 'ods-enforcer key import' (..--keystate GENERATE)
with known CKA_IDs to tell ODS the relation between key type
(ZSK/KSK/CSK), their use, TLD/ccTLD domain etc.
During migration from 1.4 to 2.1.x, we faced several showstopper bugs. I
have communicated privately with two list members about two of those bugs,
and I have received either confirmation or at least positive feedback
suggesting correctness in bug evaluation and patch, and I'd like to
share these with you.
The showstopper bugs we encountered are:
SUPPORT-278 - [hsm] hsm_get_dnskey(): Got NULL key
SUPPORT-289 - Can not import keys created outside HSM: ods-enforcer key
import broken
SUPPORT-291 - Wrong inception time in keyData after migration
(these are available from
URLs like https://issues.opendnssec.org/browse/SUPPORT-278 , just change
the number).
As if this was not enough, we encountered
SUPPORT-283 - OpenDNSSEC Bogus Signature, Redhat 9 native packages
..which is NOT an ODS problem, rather probably affects all .rpm based
distros. For this, I have received confirmation from a list member.
On top of this, the 1.4 database _we_ had was broken so that it works as
expected on 1.4, but there were many time-wise impossibilities, where the
key generate (inception) time is _after_ the key has been used and one
other problem (probably not worth elaborating here, but a showstopper
too). Those needed manual UPDATE ... in SQL database before migration
(with SUPPORT-291 patch) would succeed.
I have created support requests in OpenDNSSEC JIRA and put in PRs (pull
requests) against 2.1/develop branch
https://github.com/opendnssec/opendnssec/tree/2.1/develop like this:
https://github.com/opendnssec/opendnssec/pull/849 - SUPPORT-278
https://github.com/opendnssec/opendnssec/pull/850 - SUPPORT-289
https://github.com/opendnssec/opendnssec/pull/851 - SUPPORT-291
https://github.com/opendnssec/opendnssec/pull/852 - Necessary files for
'rpmbuild' to build MariaDB/MySQL enforcer backend in RPM-based distros
The last pull request is two files, 'opendnssec-mysql.spec' and
'conf-mysql.xml.in' plus some misc stuff like RSA keylength changed
from 1024 -> 2048. With this PR, people should (_should_) be able to
rpmbuild on .rpm based distros for MariaDB/MySQL backend instead of
SQLite.
Best regards,
--
Mikko Rantanen / ods-dog at hole.fi
More information about the Opendnssec-user
mailing list