Only one DS key comes back in query

frank picabia fpicabia at gmail.com
Mon May 16 15:53:24 UTC 2022 

I think I see the problem now.  The values in the file dsset-example.com
generated by signing the zone are not good.  I believe this was the bad
value being provided as reported by the registrar.  It was mentioned
in a user's comment on the DNSSEC guide that using the dsset file
wasn't the thing to do.  Using one of the other approaches with
dnssec-dsfromkey is needed.  The values in dsset file begin the
same but it's different.


On Mon, May 16, 2022 at 11:37 AM frank picabia <fpicabia at gmail.com> wrote:

>
> That's helpful.  Very similar to what I found a minute ago on
>
> https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/
>
> with their example:
>
> dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net
>
> I've done this for my domain and both of my DS keys are showing up.  Tried
> the dnssec-dsfromkey
> with the .key file as well and that sanity check passed.  I think I'm set
> up all right,
> I'll need to check again with the domain registrar.
>
> Thanks for the assistance.
>
>
> On Mon, May 16, 2022 at 11:15 AM Daniel Stirnimann <
> daniel.stirnimann at switch.ch> wrote:
>
>> If you have the public key file you can do:
>>
>> dnssec-dsfromkey Kexample.com.+013+55640.key
>> example.com. IN DS 55640 13 2
>> CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
>>
>> Or you can query the auth nameserver like this:
>>
>> dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
>> dnssec-dsfromkey -f - example.com.
>>
>> Daniel
>>
>>
>> On 16.05.22 16:01, frank picabia wrote:
>> > Let's put it another way:
>> >
>> > Using tools like host or dig, can I look up my DS without it talking to
>> > the domain registrar?
>> >
>> > If it is always getting from the domain registrar, I can't see how to
>> > check the DS is set up all right purely within bind.
>> >
>> >
>> > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev <anandb at ripe.net
>> > <mailto:anandb at ripe.net>> wrote:
>> >
>> >     On 16/05/2022 15:07, frank picabia wrote:
>> >
>> >     Hi Frank,
>> >
>> >     > I have dsset-example.com <http://dsset-example.com> showing two
>> DS
>> >     keys with algorithm 8.
>> >     > I included both .key files in my DNS.  Only digest 1 comes back
>> >     > in a dig query.
>> >     >
>> >     > I use dnssec-signzone tool to sign the zone file.
>> >     >
>> >     > The domain registrar says there is a problem with the digest 2
>> value.
>> >     > It's copied directly from the dsset file.
>> >     >
>> >     > Not sure about the chicken and the egg in this case.  When I do a
>> >     dig, is
>> >     > it really
>> >     > just getting the value back from the domain registrar?
>> >     >
>> >     > Any suggestions on how to ensure my digest 2 DS value is set up
>> right?
>> >
>> >     We cannot help you if we cannot see the DS records or know which
>> domain
>> >     they are for.
>> >
>> >     Anand
>> >
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220516/5de8581a/attachment.htm>

More information about the bind-users mailing list