problem registering DS records with EDUCAUSE, sanity check please
Paul B. Henson
henson at acm.org
Mon Jul 14 20:24:38 UTC 2014
We roll our KSK's for our edu domain annually in July, after which I need to
manually go to the EDUCAUSE management site to delete the old DS records for
the key no longer in use, and add the new DS records for the key just
published and scheduled to be used the following year.
This year, after deleting the old records, I have been unable to add the new
records, when I try to add the new records into their system, it tells me
"We were unable to locate the DNSSEC data you entered in the published zone
for this domain". From what I understand, they basically do a DNSKEY lookup
for the zone, and if you are trying to enter DS records for a key that
doesn't exist, they try to keep you from shooting yourself in the foot.
However, I'm reasonably sure I am entering the correct records for the new
key that is published and does exist.
After opening a trouble ticket, they indicate that they have received no
other complaints and as far as they know their system is working correctly.
While they continue to look into it, I was hoping to get a quick sanity
check to make sure I'm not doing something stupid :).
As of today, there are three DNSKEY KSK's being published in our zone,
csupomona.edu:
43200 DNSKEY 257 3 8 (
AwEAAdFxrkq3ckurcqLiyaoXUTgnbNYeNqPz
ux9X90Y4mxdgq+by/q7n+tAFL0D3mnR583f7
BFjRCWjNU5Txn2kkc3vCW7vy4ACzOw1svEXu
pA+VW4SxwkzIIlXDYqA0H9rwtuh02KXCLDNX
NMJE/gmjHUUavy99sK+fbZp/+wDIG6E/xEgi
a/AzeXlN5ooorNl5HqHYRCl3q0tAHSiXCDmV
gRc1mKKPfURILiaGiHMAt13duN+COtX0I3GJ
T1t54NJ6pUWzHo0G9l4XzKB+QDXrVSjIbw+I
3f2AQ2X2OtOyL+8ZnDK9WxoaJF2IwUsy4Gkw
etIyZrxbdOJegbuKQG9ocVs=
) ; KSK; alg = RSASHA256; key id =
7390
This is the old key, that was in use from 7/2013-7/2014, and will actually
be removed tomorrow.
43200 DNSKEY 257 3 8 (
AwEAAdGKMuliCXyKT1xnqZTCu0XJwJ45uDXi
/OWnYbIJox7TejDTS9j9mZqnzh/T+s8awm/q
JDJASSfK1Udi58I32kZr/O+hzyPR7IH7JT61
YWjPIlf3WslOS9hmsUEEWxvu8WdmLbyHaf+w
WFUMYiyvHcVcw1xPlURI0z6xP1vLl0/Oxy4q
NRTARjfcuj5MmdntmB7PHR3nK+Hm8NO1Yt1y
DnHTr2LBKGneJdwYUPaSXW+R8nUF98yrZghn
0LjzKo3Rp7QZ446dxN8OTjo+KDyxboP5+dO+
EnU7qRuYWfLjwomtI7S1sWQZbIkGhQsS2FIc
C9y3SL1LYWe8HtqBkozSED8=
) ; KSK; alg = RSASHA256; key id =
64507
This is the current key in use, originally published 7/2013, activated
7/2014, and scheduled to be used through 7/2015. This key has DS records in
the edu zone that I added last year:
csupomona.edu. IN DS 64507 8 1
4736F7DB4A69FF2A97C7CAF3848EFD0BBC42AC1C
csupomona.edu. IN DS 64507 8 2
85567D63F5AA85A9CE5303776F3DBBCFCB8C82F254E55EE4ECC4279A 04CC350A
43200 DNSKEY 257 3 8 (
AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9ur
WU1Tq4kc21Ca0wsFZQCB1jU5XNXCiITwEiRb
oxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbib
nd3Y6oeUfZvKyqgvNlSJqpLdC5SsHN2r9lHR
EpO3VpE+bZDdfMys8Lb3xtNqdzjRX8a4nz0z
H1JfrSQG92pP5YXhErsP//r7YCOQdwnuNsWm
ECWXDISDhlorYqRsHNmjFsnrCpbDkrp9J84I
tPcN7DXqDofxRqGxIZ+sx7GcXecCcyAEtHrM
1bZuhzwUjWiscfADWwNTfRrxRxPAgAAorXL4
/dYAx/8QfFINz2/w8Pblrs0=
) ; KSK; alg = RSASHA256; key id =
58561
And finally, the new key I just created, for which I'm trying to add DS
records. The dsset file created by dnssec-signzone says these records should
be:
csupomona.edu. IN DS 58561 8 1
68893E21C919C85530F9033B4315F68D1248CDBC
csupomona.edu. IN DS 58561 8 2
DDA5E90D66BB90E2D10881DE0974A3DF0A3C614A6D88C1BA28B19546 1E45C8C5
The same records are generated by dnssec-dsfromkey. Yet, when I try to
register these DS records with EDUCAUSE, their system claims they cannot
find a matching key in our published zone.
Does anybody see anything out of place? Fortunately, the key is not
scheduled to be used until 2015, so there's plenty of time to work this out;
unfortunately, it's gnawing at me that it's not complete yet 8-/.
Thanks.
More information about the bind-users
mailing list