On Wed, 7 Oct 2020, Dominik 'Rathann' Mierzejewski wrote:
Today, I upgraded one of my machines to F33. Upon first F33 boot I
noticed that the dnssec-triggerd service failed to start. It turns out I
had very old dnssec-trigger keys and certificates ("only" 1536-bit RSA)
generated back in 2014 which no longer passed as acceptable per the
default crypto policy change [1], which requires at least 2048-bit keys.
The work-around is to move away or delete the existing keys and
certificates in /etc/dnssec-trigger and let
dnssec-triggerd-keygen.service generate new ones. After that, the
dnssec-triggerd.service starts successfully. I filed a bug[2] against
dnssec-trigger.
Can dnssec-trigger not work now via a unix domain socket instead of TLS
for its command channel? I know NLnetlabs added that for its other
servers like unbound and nsd that only supported TLS before.
The man page suggests it does not support this yet, but I'm pretty
sure upsteam would accept a patch.
Paul