Today, I upgraded one of my machines to F33. Upon first F33 boot I
noticed that the dnssec-triggerd service failed to start. It turns out I
had very old dnssec-trigger keys and certificates ("only" 1536-bit RSA)
generated back in 2014 which no longer passed as acceptable per the
default crypto policy change [1], which requires at least 2048-bit keys.
The work-around is to move away or delete the existing keys and
certificates in /etc/dnssec-trigger and let
dnssec-triggerd-keygen.service generate new ones. After that, the
dnssec-triggerd.service starts successfully. I filed a bug[2] against
dnssec-trigger.[1] https://www.fedoraproject.org/wiki/Changes/StrongCryptoSettings2 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1886172 Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
