ZSK rollover weirdness
Phil Mayers
p.mayers at imperial.ac.uk
Fri Sep 6 16:42:35 UTC 2013
On 06/09/13 17:28, Lawrence K. Chen, P.Eng. wrote:
> And, the prior ZSK was 14565
>
> ; This is a zone-signing key, keyid 14565, for ksu.edu.
> ; Created: 20130601090000 (Sat Jun 1 04:00:00 2013)
> ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Revoke: 20130901090000 (Sun Sep 1 04:00:00 2013)
> ; Inactive: 20130915090000 (Sun Sep 15 04:00:00 2013)
> ; Delete: 20130929090000 (Sun Sep 29 04:00:00 2013)
> ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB
This looks like the culprit, currently being served up from your
nameservers:
86350 IN DNSKEY 384 3 8 (
AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCA
X9+z+cpyq/Pe52kLuFxDjCj89EzdjKFDGAkPRDPImWlT
QLCr3WQl8g5SIOs67bBR72hvq2tHmgpK+/j9Z4yqLRyl
d/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1t3rQaznB
) ; ZSK; alg = RSASHA256; key id = 14693
Note the crazy "flags" value (384).
If you calculated the key ID with the data you list above, you get
14565. If you replace flags "256" with "384" the ID changes to 14693.
> Where is 14693 coming from? And, how do I get it work right.
I would guess you've either mangled the key files somehow, or you've hit
a bug, but it's not obvious from your infodump how you're signing your
zones.
More information about the bind-users
mailing list