Valid base64 includes spaces and new lines. Poorly written record parsers reject valid records.
On 30 Dec 2022, at 10:38, Eric Germann via bind-users <bind-users@lists.isc.org> wrote:
On Dec 29, 2022, at 16:34, Timothe Litt <l...@acm.org> wrote: <snip> Yup, Eric's case was a classic example. He tried to do the right
thing, put in the wrong record, and the system didn't produce the
expected results. To his credit, he persisted. Most people
don't. A while ago there was a study ( cloudflare/APNIC)
that showed that about only about 40% of people who enabled DNSSEC
for their accounts successfully served DS records in their
registry.
</snip>
The really annoying part is it isn’t obvious that they want the public key and not the result of dnssec-dsfromkey; they do it themselves. The annoying part is they throw an error if the key isn’t valid Base64 (think spaces or newlines), but gladly accept the DS output from dnssec-dsfromkey. Somehow or another they are getting the key tag from the incorrect DS record, because they encode again the already encoded string.
I looked in the docs for boto3 (the official API for AWS) and there appears no way to add a public key so you can’t do it programmatically.
I’ll have to pass that on to my AWS contacts. Doubt they’ll do anything but it is worth throwing it over the fence.
Again, thanks for all the help!
Eric
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
|
signature.asc
Description: Binary data
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
