Today, I upgraded one of my machines to F33. Upon first F33 boot I
noticed that the dnssec-triggerd service failed to start. It turns out I
had very old dnssec-trigger keys and certificates ("only" 1536-bit RSA)
generated back in 2014 which no longer passed as acceptable per the
default crypto policy change [1], which requires at least 2048-bit keys.
The work-around is to move away or delete the existing keys and
certificates in /etc/dnssec-trigger and let
dnssec-triggerd-keygen.service generate new ones. After that, the
dnssec-triggerd.service starts successfully. I filed a bug[2] against
dnssec-trigger.
[1] https://www.fedoraproject.org/wiki/Changes/StrongCryptoSettings2
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1886172
Regards,
Dominik
--
Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org
There should be a science of discontent. People need hard times and
oppression to develop psychic muscles.
-- from "Collected Sayings of Muad'Dib" by the Princess Irulan
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
