I understand all the tools and output. The error I was trying to find is why they disagreed and checking all the points along the way. Thanks for your scripts.
Anyways, for GoogleFu, I got it fixed and it works correctly now thanks to https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 For entering the DS record in to Route53, you enter the whole public key in Base64 without spaces or newlines, not the hash of the key like the registrars I’ve used for other domains. What is annoying is it accepts the hash as perfectly valid and gets the DS record number as the wrong ID. Thanks to all who helped! Eric > On Dec 29, 2022, at 10:06, Timothe Litt <l...@acm.org> wrote: > > >> That’s why I wanted to decode the DS record to see if it’s encoding it as >> 32686 or 22755 > > As I said, no decoding required. Just look at the DS record. The keytag is > immediately after "DS" in plain, unencoded text. > > If the question is how to verify the keytag from the DNSKEY it references, > I've shown you two different tools that produce the same result. > > If you use the same input file, you get the same answer from ISC and > Net::DNS::SEC. > > cat >tmp.key > > ericgermann.photography. DNSKEY 257 3 8 > AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt > xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O > vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 > SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL > UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV > 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= > > dnssec-dsfromkey -2 tmp > ericgermann.photography. IN DS 32686 8 2 > A17DF360A9E0CB485BD396A839119441C5FF62A9C9E46D586EBDD1D084E2E36B > > That's the same answer as Net::DNS::SEC. Two different tools from reputable > sources, same answer. > > None of the installed keys have 22755. DNSvis does show a DS record > installed with 22755 (and no matching key). So AWS is installing that DS > from whatever input you provide it. > > That leaves: > > Different input to AWS vs. the local tools > perhaps you have a file with a different DNSKEY that you are uploading to > AWS. I've been known to accidentally overwrite, rename, or confuse files. > (Not often, but it happens.) > have you verified that the contents of the file that you are using matches > what's in the DNS? > Does AWS have an option to use a DNSKEY from your zone? That would avoid the > manual step. > If you're copy/pasting the DNSKEY file into AWS, corruption in the process > (buffer overruns?) > It's not inconceivable that AWS has a bug, but someone should have hit one > like this before you > Before blaming AWS, I'd be very sure that the same key is being input. If it > is, they have a bug.... > > You might also consider using a different key experimentally, on the off > chance that a wrong keytag bug is data-dependent. > > But the most likely scenario is that somehow AWS is generating a DS for a > different key. > > I don't use AWS, so that's as far as I can go. > > Good luck. > > Timothe Litt > ACM Distinguished Engineer > -------------------------- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > On 29-Dec-22 09:28, Eric Germann wrote: >> Yeah, that’s the problem I’m trying to solve. I run the key thru >> dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get >> 22755 from the decoded DS record in the console for Route53. >> >> That’s why I wanted to decode the DS record to see if it’s encoding it as >> 32686 or 22755 >> >> >>> On Dec 29, 2022, at 09:17, Timothe Litt <l...@acm.org> >>> <mailto:l...@acm.org> wrote: >>> >>> On 28-Dec-22 19:40, Eric Germann wrote: >>>> My question is >>>> >>>> Is there any way to decode the DS record and see what key tag is actually >>>> encoded in it? If it’s 32686 it’s an issue with Route53. If it’s 22755 >>>> it’s an issue with dnssec-dsfromkey. >>>> >>>> If anyone wants the DNSKEY for algorithm 8, ping me off list and I will >>>> share it with you in a private email. >>>> >>>> Thoughts? >>>> >>> And because it's trivial, here are the keytags for all your keys and DS >>> records and how to get them. Note that you have DNSKEY 32686: installed in >>> the DNS, and that the installed DS is 22755. >>> >>> Can't say how it got that way, but that's what is there. (Manual processes >>> are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 - >>> has been so slow is unfortunate.) It's rarely the tools. >>> >>> perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short >>> ericgermann.photography DNSKEY); print "$_ => >>> ",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n" >>> foreach (@keys);' >>> 257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt >>> xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O >>> vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 >>> SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL >>> UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV >>> 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= => >>> 32686 >>> 256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K >>> AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET >>> VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2 >>> hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt >>> qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL >>> oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= => >>> 43126 >>> 256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+ >>> H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584 >>> 256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248 >>> 257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075 >>> 257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6 >>> tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677 >>> >>> perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short >>> ericgermann.photography DS); print "$_ => >>> ",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n" foreach >>> (@keys);' >>> 22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9 >>> => 22755 >>> >>> You can, of course, use data from your files instead of dig. Works for >>> both DS and DNSKEY >>> >>> perl -MNet::DNS -MNet::DNS::SEC -e' print >>> Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 >>> 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"' >>> >>> >>> >>> Enjoy. >>> >>> Timothe Litt >>> ACM Distinguished Engineer >>> -------------------------- >>> This communication may not represent the ACM or my employer's views, >>> if any, on the matters discussed. >>> >>> >>> >>> >>
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
