convert Knot DNS sigantures certs to BIND format.
Tony Finch
dot at dotat.at
Thu Mar 14 16:21:34 UTC 2019
Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote:
>
> Now I´m able to sign my zone. But in dsset file, which should contain the
> same DS as I already have in the parent zone a have different "keytag" and
> different hash.
>
> In my case is "keytag" in dsset file is 43120.
OK, referring to your previous message...
> > My original "keytag" is 43121.
The keytag calculation is a very simple checksum so the fact that the
correct and incorrect tags differ by 1 is a big clue :-) The KSK flag's
value is 1 (ZSK flags == 256, KSK flags == 257) so it looks like you
missed out the `-f KSK` option to dnssec-keygen when making the template
key files.
You can fix this by changing 256 to 257 in the .key file(s) that should be
KSKs and re-signing the zone. Double check that the key file names match
the key tags, e.g. this is wrong:
$ dnssec-dsfromkey Kexample.com.+013+19633.key
example.com. IN DS 19634 13 1 32CF6889AEBABD43F2A87A59D4EC13A18A91AA0A
(Unexpectedly, BIND does not always get upset when the keytag in a key
file name doesn't match the computed keytag, so it's possible to get
things slightly wrong and not notice unless you double check.)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Southeast Iceland: Cyclonic, mainly northeasterly, 5 to 7, decreasing 4 at
times. Rough or very rough. Wintry showers. Good, occasionally poor.
More information about the bind-users
mailing list