On 28-Dec-22 19:40, Eric Germann wrote:
And because it's trivial, here are the keytags for all your keys and DS records and how to get them. Note that you have DNSKEY 32686: installed in the DNS, and that the installed DS is 22755.My question isIs there any way to decode the DS record and see what key tag is actually encoded in it? If it’s 32686 it’s an issue with Route53. If it’s 22755 it’s an issue with dnssec-dsfromkey.If anyone wants the DNSKEY for algorithm 8, ping me off list and I will share it with you in a private email.Thoughts?
Can't say how it got that way, but that's what is there. (Manual processes are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 - has been so slow is unfortunate.) It's rarely the tools.
| perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short ericgermann.photography DNSKEY); print "$_ => ",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n" foreach (@keys);'|| ||257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= => *32686*|| ||256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2 hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= => 43126|| ||256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+ H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584||
||256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248|| ||257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075||||257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6 tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677|
|perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short ericgermann.photography DS); print "$_ => ",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n" foreach (@keys);'|| ||22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9 => *22755*||
|You can, of course, use data from your files instead of dig. Works for both DS and DNSKEY
perl -MNet::DNS -MNet::DNS::SEC -e' print Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
Enjoy. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
