I've been using DNSSEC to sign my internal DNS zones with FreeIPA for quite some time now and have never had any problems. But suddenly, I noticed ipa-dnskeysyncd.service was continuously failing to start, throwing this traceback:
dnssec-keyfromlabel: fatal: failed to get key RSASHA256: not found
ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE
Looking deeper into the logs, I could see that LDAP was happily reporting it was adding key metadata to my zones, but the local token was instantly rejecting it:
The public key was not found at: pkcs11:object=...
The root cause turned out to be a cryptographic "split-brain" situation. The metadata stored in the LDAP directory was correct, but the actual cryptographic private/public key material stored by the local SoftHSM token was missing.
You can verify if your saved keys are actually in the token by pointing pkcs11-tool at the FreeIPA SoftHSM database:
[root@ipa03 ~]# export SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
[root@ipa03 ~]# pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so -l -O --pin $(cat /var/lib/ipa/dnssec/softhsm_pin)
The logical first step would be to just disable DNSSEC on the affected zones using the CLI. Don't bother; this won't work. Toggling that flag updates LDAP, but ipa-dnskeysyncd is the daemon responsible for actually applying that change. Because it is trapped in a crash loop during its initial startup scan, it will die before it is ever able to read your change.
The only way forward here is performing open-heart surgery: purging the orphaned keys directly from the LDAP directory. Replication and a restart of the DNS services will take care of the rest.
First, grab an admin ticket, generate a list of all broken DNSSEC keys in LDAP, and stage them for deletion:
[root@ipa03 ~]# kinit admin
[root@ipa03 ~]# ldapsearch -Y GSSAPI -o ldif-wrap=no -b 'cn=dns,dc=archyslife,dc=lan' '(objectclass=idnsSecKey)' dn | awk '/^dn: / {print $2}' > /tmp/orphaned-dnssec-keys.txt
Then, bulk-delete the corrupted keys from LDAP:
[root@ipa03 ~]# ldapdelete -Y GSSAPI -f /tmp/orphaned-dnssec-keys.txt
With the poison pills removed, restart the sync daemon. It will start cleanly and generate fresh keys:
[root@ipa03 ~]# systemctl restart ipa-dnskeysyncd.service
Now it's time to clean up OpenDNSSEC's backlog. Because FreeIPA generates new keys, they will be stuck in a "waiting" state. Search for the waiting keys and grab their CKA_ID:
[root@ipa03 ~]# ods-enforcer key list -v | grep -iIE 'waiting for ds-seen'
Next, force the transition for your zones by telling OpenDNSSEC the DS records have been seen:
[root@ipa03 ~]# ods-enforcer key ds-seen --zone ${DNS_ZONE} --cka_id ${CKA_ID}
As a final step, ensure the physical key material is properly replicated via Custodia and loaded into memory on all your replicas. The easiest way to do this is to restart the IPA stack on all remaining ipa servers:
[root@ipa01 ~]# ipactl stop; sleep 10; ipactl start
[root@ipa02 ~]# ipactl stop; sleep 10; ipactl start
Finally, verify that your servers are returning the new DNSSEC signatures. Run this against each of your FreeIPA DNS servers to confirm the RRSIG is attached:
[root@client ~]# dig +dnssec +short @ip.of.dns.server SOA archyslife.lan Feel free to comment and / or suggest a topic.
Comments
Post a Comment