I have successfully implemented opendnssec. I have multiple domains at GoDaddy and while all other TLDs work after inputting the results from
ods-ksmutil key ds-seen -z domain.co -x 12345 the domains with the .co TLD have an extra input field which is required. Instead of the usual Key Tag: Algorithm: Digest Type: and Digest: There is one more required field called Key Data Alg in which the tool-tip states: "The key data algorithm determines the method used for encrypting the public key. Values must be an integer between 0 and 255 and must match the server." Over at this link https://www.edge-cloud.net/2014/06/practical-guide-dns-based-authentication-named-entities-dane/ In the comments section at the bottom, Christian Elsen says: "Here is what these fields mean along with possible values: – flags: 256 for Zone Signing Keys (ZSK), 257 for Key Signing Keys (KSK) You want 257 for the long-term Key Signing Key in this case – protocol: always 3 to signify DNSSEC – key data alg: 5 for RSA with SHA1 (currently the only specified choice) – public key: base64 format of the public key (either ZSK or KSK)" and "You can also lookup the correct values via “dig type48 examples.com” against your domain. " In the specifics of https://support.godaddy.com/help/article/6114/about-self-managed-dnssec titled About Self-Managed DNSSEC it seems to be missing the information regarding this required Key Data Alg: input field in their DS form. "ods-ksmutil key export --zone domain.co --verbose" reveals: domain.co. 3600 IN DNSKEY 257 3 8 AwEAAc69iKpMRQCV53HoqII8gP+TO6/XEiB80ydhhJSC8Nfqz07KdlGpZIR5pgIN6JcAldXnlVgYjpoOO9eFpZfKtRR994Bao+6BNhkNWcZYESJnfNCEL3Vnkdl2qLNeyIwGBqWPjYSfpFEfiaSePBCuX+7zn8F9d14Q9Ni0jgw1v4uIi4q6dh7Zgg5WC7LURt4kPwOMphANkikL02zGzO/QwdzGRyX5R5sUL4yn8gUrBEeMsn3RI06Z83yS8BoEGcBJ0PitciqILNK0PkPwg9c3FqERVpt202evVMBPlIvCPn5Y/nXMDN18Yy84982W9oRYf8xVU89qgdrdzh0ZJr4u5Cs= ;{id = 65105 (ksk), size = 2048b} GoDaddy's support was of no help. The possibilities for Key Data Alg: are 1,2,3,5,6,7,8,10,12 I tried all of them and received a momentary failure email. Regards, Peter
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
