I think I see the problem now. The values in the file dsset-example.com generated by signing the zone are not good. I believe this was the bad value being provided as reported by the registrar. It was mentioned in a user's comment on the DNSSEC guide that using the dsset file wasn't the thing to do. Using one of the other approaches with dnssec-dsfromkey is needed. The values in dsset file begin the same but it's different.
On Mon, May 16, 2022 at 11:37 AM frank picabia <fpica...@gmail.com> wrote: > > That's helpful. Very similar to what I found a minute ago on > > https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/ > > with their example: > > dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net > > I've done this for my domain and both of my DS keys are showing up. Tried > the dnssec-dsfromkey > with the .key file as well and that sanity check passed. I think I'm set > up all right, > I'll need to check again with the domain registrar. > > Thanks for the assistance. > > > On Mon, May 16, 2022 at 11:15 AM Daniel Stirnimann < > daniel.stirnim...@switch.ch> wrote: > >> If you have the public key file you can do: >> >> dnssec-dsfromkey Kexample.com.+013+55640.key >> example.com. IN DS 55640 13 2 >> CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9 >> >> Or you can query the auth nameserver like this: >> >> dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" | >> dnssec-dsfromkey -f - example.com. >> >> Daniel >> >> >> On 16.05.22 16:01, frank picabia wrote: >> > Let's put it another way: >> > >> > Using tools like host or dig, can I look up my DS without it talking to >> > the domain registrar? >> > >> > If it is always getting from the domain registrar, I can't see how to >> > check the DS is set up all right purely within bind. >> > >> > >> > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev <ana...@ripe.net >> > <mailto:ana...@ripe.net>> wrote: >> > >> > On 16/05/2022 15:07, frank picabia wrote: >> > >> > Hi Frank, >> > >> > > I have dsset-example.com <http://dsset-example.com> showing two >> DS >> > keys with algorithm 8. >> > > I included both .key files in my DNS. Only digest 1 comes back >> > > in a dig query. >> > > >> > > I use dnssec-signzone tool to sign the zone file. >> > > >> > > The domain registrar says there is a problem with the digest 2 >> value. >> > > It's copied directly from the dsset file. >> > > >> > > Not sure about the chicken and the egg in this case. When I do a >> > dig, is >> > > it really >> > > just getting the value back from the domain registrar? >> > > >> > > Any suggestions on how to ensure my digest 2 DS value is set up >> right? >> > >> > We cannot help you if we cannot see the DS records or know which >> domain >> > they are for. >> > >> > Anand >> > >> > >> >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
