On Dec 29, 2022, at 16:34, Timothe Litt <l...@acm.org> wrote:
<snip> Yup, Eric's case was a classic example. He tried to do the right thing, put in the wrong record, and the system didn't produce the expected results. To his credit, he persisted. Most people don't. A while ago there was a study (cloudflare/APNIC <https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/>) that showed that about only about 40% of people who enabled DNSSEC for their accounts successfully served DS records in their registry. </snip> The really annoying part is it isn’t obvious that they want the public key and not the result of dnssec-dsfromkey; they do it themselves. The annoying part is they throw an error if the key isn’t valid Base64 (think spaces or newlines), but gladly accept the DS output from dnssec-dsfromkey. Somehow or another they are getting the key tag from the incorrect DS record, because they encode again the already encoded string. I looked in the docs for boto3 (the official API for AWS) and there appears no way to add a public key so you can’t do it programmatically. I’ll have to pass that on to my AWS contacts. Doubt they’ll do anything but it is worth throwing it over the fence. Again, thanks for all the help! Eric
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
