problem registering DS records with EDUCAUSE, sanity check please
Mark Andrews
marka at isc.org
Tue Jul 15 00:19:10 UTC 2014
The new key does not sign the DNSKEY RRset.
% dig csupomona.edu dnskey +rrcomm +dnssec | grep 58561
csupomona.edu. 43072 IN DNSKEY 257 3 8 AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9urWU1Tq4kc21Ca0wsFZQCB 1jU5XNXCiITwEiRboxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbibnd3Y 6oeUfZvKyqgvNlSJqpLdC5SsHN2r9lHREpO3VpE+bZDdfMys8Lb3xtNq dzjRX8a4nz0zH1JfrSQG92pP5YXhErsP//r7YCOQdwnuNsWmECWXDISD hlorYqRsHNmjFsnrCpbDkrp9J84ItPcN7DXqDofxRqGxIZ+sx7GcXecC cyAEtHrM1bZuhzwUjWiscfADWwNTfRrxRxPAgAAorXL4/dYAx/8QfFIN z2/w8Pblrs0= ; KSK; alg = RSASHA256; key id = 58561
%
Compare this with the current key.
% dig csupomona.edu dnskey +rrcomm +dnssec | grep 64507
csupomona.edu. 42904 IN DNSKEY 257 3 8 AwEAAdGKMuliCXyKT1xnqZTCu0XJwJ45uDXi/OWnYbIJox7TejDTS9j9 mZqnzh/T+s8awm/qJDJASSfK1Udi58I32kZr/O+hzyPR7IH7JT61YWjP Ilf3WslOS9hmsUEEWxvu8WdmLbyHaf+wWFUMYiyvHcVcw1xPlURI0z6x P1vLl0/Oxy4qNRTARjfcuj5MmdntmB7PHR3nK+Hm8NO1Yt1yDnHTr2LB KGneJdwYUPaSXW+R8nUF98yrZghn0LjzKo3Rp7QZ446dxN8OTjo+KDyx boP5+dO+EnU7qRuYWfLjwomtI7S1sWQZbIkGhQsS2FIcC9y3SL1LYWe8 HtqBkozSED8= ; KSK; alg = RSASHA256; key id = 64507
csupomona.edu. 42904 IN RRSIG DNSKEY 8 2 43200 20140818161836 20140714163232 64507 csupomona.edu. o4bJimrnoVXVtv4eviO5xKwULVrNv0d1nGQ09yDOAJa5dls9ZIgbca2/ feCDC7xZv6r2586PUBL1kyRlxJGLXBbKz7UK6svMOrUrEYEZivWBFP3D wb6KjrtyN/8sF0ab7Y7x9plGPh8PYpU/Q3QX9XCdolZTTAUvoCQlFkgs o5jvJkl2JvlJ2aP7IbcuExpQc+M9gSU5hE7V5WZv8DrI2iwZh17fzBcm qmX9R7UBnIyvZFDKsVd4QUVLh6+XGyMU8WZWhoiApWLhaWvL3QxNBWHn FrhkZq+V3IKNxxDs2KzwAaq8JWBefFXQP6tCS77NZgR43OBIOZp/m8Zi gOJGWQ==
%
Make sure the DNSKEY RRset is signed with the new key then try to
add the DS record to the parent.
Mark
In message <044501cf9fa1$a5374e90$efa5ebb0$@acm.org>, "Paul B. Henson" writes:
> We roll our KSK's for our edu domain annually in July, after which I need to
> manually go to the EDUCAUSE management site to delete the old DS records for
> the key no longer in use, and add the new DS records for the key just
> published and scheduled to be used the following year.
>
> This year, after deleting the old records, I have been unable to add the new
> records, when I try to add the new records into their system, it tells me
> "We were unable to locate the DNSSEC data you entered in the published zone
> for this domain". From what I understand, they basically do a DNSKEY lookup
> for the zone, and if you are trying to enter DS records for a key that
> doesn't exist, they try to keep you from shooting yourself in the foot.
> However, I'm reasonably sure I am entering the correct records for the new
> key that is published and does exist.
>
> After opening a trouble ticket, they indicate that they have received no
> other complaints and as far as they know their system is working correctly.
> While they continue to look into it, I was hoping to get a quick sanity
> check to make sure I'm not doing something stupid :).
>
> As of today, there are three DNSKEY KSK's being published in our zone,
> csupomona.edu:
>
> 43200 DNSKEY 257 3 8 (
>
> AwEAAdFxrkq3ckurcqLiyaoXUTgnbNYeNqPz
>
> ux9X90Y4mxdgq+by/q7n+tAFL0D3mnR583f7
>
> BFjRCWjNU5Txn2kkc3vCW7vy4ACzOw1svEXu
>
> pA+VW4SxwkzIIlXDYqA0H9rwtuh02KXCLDNX
>
> NMJE/gmjHUUavy99sK+fbZp/+wDIG6E/xEgi
>
> a/AzeXlN5ooorNl5HqHYRCl3q0tAHSiXCDmV
>
> gRc1mKKPfURILiaGiHMAt13duN+COtX0I3GJ
>
> T1t54NJ6pUWzHo0G9l4XzKB+QDXrVSjIbw+I
>
> 3f2AQ2X2OtOyL+8ZnDK9WxoaJF2IwUsy4Gkw
>
> etIyZrxbdOJegbuKQG9ocVs=
>
> ) ; KSK; alg = RSASHA256; key id =
> 7390
>
> This is the old key, that was in use from 7/2013-7/2014, and will actually
> be removed tomorrow.
>
> 43200 DNSKEY 257 3 8 (
>
> AwEAAdGKMuliCXyKT1xnqZTCu0XJwJ45uDXi
>
> /OWnYbIJox7TejDTS9j9mZqnzh/T+s8awm/q
>
> JDJASSfK1Udi58I32kZr/O+hzyPR7IH7JT61
>
> YWjPIlf3WslOS9hmsUEEWxvu8WdmLbyHaf+w
>
> WFUMYiyvHcVcw1xPlURI0z6xP1vLl0/Oxy4q
>
> NRTARjfcuj5MmdntmB7PHR3nK+Hm8NO1Yt1y
>
> DnHTr2LBKGneJdwYUPaSXW+R8nUF98yrZghn
>
> 0LjzKo3Rp7QZ446dxN8OTjo+KDyxboP5+dO+
>
> EnU7qRuYWfLjwomtI7S1sWQZbIkGhQsS2FIc
>
> C9y3SL1LYWe8HtqBkozSED8=
>
> ) ; KSK; alg = RSASHA256; key id =
> 64507
>
> This is the current key in use, originally published 7/2013, activated
> 7/2014, and scheduled to be used through 7/2015. This key has DS records in
> the edu zone that I added last year:
>
> csupomona.edu. IN DS 64507 8 1
> 4736F7DB4A69FF2A97C7CAF3848EFD0BBC42AC1C
> csupomona.edu. IN DS 64507 8 2
>
> 85567D63F5AA85A9CE5303776F3DBBCFCB8C82F254E55EE4ECC4279A 04CC350A
>
> 43200 DNSKEY 257 3 8 (
>
> AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9ur
>
> WU1Tq4kc21Ca0wsFZQCB1jU5XNXCiITwEiRb
>
> oxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbib
>
> nd3Y6oeUfZvKyqgvNlSJqpLdC5SsHN2r9lHR
>
> EpO3VpE+bZDdfMys8Lb3xtNqdzjRX8a4nz0z
>
> H1JfrSQG92pP5YXhErsP//r7YCOQdwnuNsWm
>
> ECWXDISDhlorYqRsHNmjFsnrCpbDkrp9J84I
>
> tPcN7DXqDofxRqGxIZ+sx7GcXecCcyAEtHrM
>
> 1bZuhzwUjWiscfADWwNTfRrxRxPAgAAorXL4
>
> /dYAx/8QfFINz2/w8Pblrs0=
>
> ) ; KSK; alg = RSASHA256; key id =
> 58561
>
> And finally, the new key I just created, for which I'm trying to add DS
> records. The dsset file created by dnssec-signzone says these records should
> be:
>
> csupomona.edu. IN DS 58561 8 1
> 68893E21C919C85530F9033B4315F68D1248CDBC
> csupomona.edu. IN DS 58561 8 2
> DDA5E90D66BB90E2D10881DE0974A3DF0A3C614A6D88C1BA28B19546 1E45C8C5
>
> The same records are generated by dnssec-dsfromkey. Yet, when I try to
> register these DS records with EDUCAUSE, their system claims they cannot
> find a matching key in our published zone.
>
> Does anybody see anything out of place? Fortunately, the key is not
> scheduled to be used until 2015, so there's plenty of time to work this out;
> unfortunately, it's gnawing at me that it's not complete yet 8-/.
>
> Thanks.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list