On 28-Dec-22 19:40, Eric Germann wrote:
My question isIs there any way to decode the DS record and see what key tag is actually encoded in it? If it’s 32686 it’s an issue with Route53. If it’s 22755 it’s an issue with dnssec-dsfromkey.If anyone wants the DNSKEY for algorithm 8, ping me off list and I will share it with you in a private email.Thoughts?
Perhaps you have TTL issues. dnssec-dsfromkey and dnsviz are both accurate.The keytag is visible in the DS record. No decoding needed First field after "DS"|
||ericgermann.photography. 3600 IN DS _22755___8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9||
|See also Perl Net::DNS::SEC. Here are some one-liners from your domain that print the keytag from DS and DNSKEY records.
| perl -MNet::DNS -MNet::DNS::SEC -e' print Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'_
22755_ ||perl -MNet::DNS -MNet::DNS::SEC -e' print Net::DNS::RR->new("ericgermann.photography. DNSKEY 256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ=")->keytag,"\n"'||
|_|48248|_| | Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
