Skip to content

Three "dnssec" failures on Fedora 38

The dnssec system test fails in three tests on Fedora 38. Supposedly, there were no crypto changes in Fedora 38.

1

I:dnssec:  check that 'dnssec-signzone -F' failed with disallowed algorithm (110)
I:dnssec:failed

The test expects fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data but gets dnssec-signzone: fatal: No signing keys specified or found. although dnssec/signer/general/Kexample.com.+005+19857.{key,private} files are present.

2

I:dnssec:check that 'dnssec-keygen -F' disables rsasha1 (232)
I:dnssec:failed

The test expects unsupported algorithm: RSASHA1 but gets dnssec-keygen: fatal: unsupported algorithm: rsasha1.

3

I:dnssec:check that 'dnssec-keygen -F' disables nsec3rsasha1 (233)
I:dnssec:failed

The test expects unsupported algorithm: NSEC3RSASHA1 but gets dnssec-keygen: fatal: unsupported algorithm: nsec3rsasha1.

For issues 2 and 3, matching case-insentively with -i is enough.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information