Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: rhel-10.0
Affects Version/s: CentOS Stream 10, rhel-10.0.beta
Component/s: bind-dyndb-ldap
Labels:

Fixed in Build:
bind-dyndb-ldap-11.10-28.el10
Regression:
None
Severity:
Important
Epic Link:
FREEIPA-11139
sprint_count:
1

AssignedTeam:
rhel-idm-ipa
Sub-System Group:

ssg_idm

Dev Target Milestone:
30
Internal Target Milestone:
31
Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
2024-Q4-Alpha-S4
Release Blocker:
Approved Exception

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/143012
Test Coverage:
None

Release Note Type:
Known Issue
Release Note Text:

Hide
.DNSSEC not working correctly in RHEL IdM

The DNS Security Extensions (DNSSEC) do not function correctly in Identity Management (IdM) in RHEL 10.0 because of multiple unresolved issues stemming from the replacement of the `openssl-pkcs11` OpenSSL engine with the `pkcs11-provider` OpenSSL provider.

The changes introduced by OpenSSL have impacted the integrated DNS functionality within RHEL IdM. Specifically, the changes are affecting multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`, and how these components interact with security modules.

Show
.DNSSEC not working correctly in RHEL IdM The DNS Security Extensions (DNSSEC) do not function correctly in Identity Management (IdM) in RHEL 10.0 because of multiple unresolved issues stemming from the replacement of the `openssl-pkcs11` OpenSSL engine with the `pkcs11-provider` OpenSSL provider. The changes introduced by OpenSSL have impacted the integrated DNS functionality within RHEL IdM. Specifically, the changes are affecting multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`, and how these components interact with security modules.
Release Note Status:
Done

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Dear colleagues,

Your component is dependent on the package openssl-pkcs11 which is going to be removed in RHEL-10 beta. The replacing package is pkcs11-provider

Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.

We kindly ask you to implement patches or apply compiling options to eliminate the dependency on the openssl-pkcs11 package. We kindly ask you to add this work to the nearest sprint.

Feel free to reach the Crypto team if you have any problems with the necessary changes.

blocks

RHEL-33729 Please stop using OpenSSL ENGINE API in bind

Release Pending

is blocked by

RHEL-55767 bind: Rebase to next major 9.20

Closed

links to

RHBA-2024:143012 bind-dyndb-ldap update

Assignee:: Thomas Woerner

Reporter:: Dmitry Belyavskiy

Developer:: Rafael Jeffman

QA Contact:: Sudhir Menon

Doc Contact:: Filip Hanzelka

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 2024/03/27 9:04 AM

Updated:: 2025/08/21 1:17 AM

Resolved:: 2025/05/13 11:34 AM

Dev Target end:: 2025/03/17

Target end:: 2025/03/24

Next Planned Release Date:: 2025/05/13

Release Date:: 2025/05/13

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide