Re: [Pdns-users] Sending up public dnssec key to registry thru EPP

Thu, 30 Nov 2017 09:16:00 -0800 

Hi,

accordingly to this https://tools.ietf.org/html/rfc4034#section-5.1.3

the digest should be quote:  "a 20 octet digest"

<secDNS:keyTag>27425</secDNS:keyTag>
<secDNS:alg>13</secDNS:alg>
<secDNS:digestType>2</secDNS:digestType>
<secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
</secDNS:dsData>

So the digest above, 49FD46E6C4B45C55D4AC should be a 20 octet

But where can I find this 20 octet digest in my powerdns?


It's not in pdnsutil show-zone and it's not either in the table cryptokeys

Do you know how I can calculate this digest?

/ Daniel




Den 2017-11-30 kl. 17:04, skrev Pieter Lexis:

Hello Daniel,

On Thu, 30 Nov 2017 16:23:53 +0100
Daniel Eriksson <[email protected]> wrote:


On a zone I get the following result from pdnsutil show-zone
[...]
Now I'm sending the following command to the IIS Epp server choosing the SHA256 
digest :
[ ... ]
But this has no effect, the domain is still unsigned, am I sending up the wrong 
public key?

This might be because you sent domain.se via EPP where egenblog.se is the 
actual domain name.
If this is because you attempt to obfuscate data, do not do this and see our 
support policy[1].

It looks like your zone is properly signed but that there is indeed no secure 
delegation yet[2]

Assuming you used the right domain name in the EPP message.
It can be that .se wants the DNSKEY and not the DS record.
It might be that the registry refreshed its zones only e.g. every hour and your 
update has not passed yet.
It might also be that the registry does some checks first and this is why it is 
delayed.
Another reason is that the EPP message is wrong and the EPP response did not 
indicate this or was not read?

Hope this helps in further debugging.

Best regards,

Pieter

1 - https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
2 - http://dnsviz.net/d/egenblog.se/WiAqKw/dnssec/



--
=====================
Mvh Daniel Eriksson
www.egensajt.se
031-7877050

_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to