convert Knot DNS sigantures certs to BIND format.

Thu Mar 28 13:58:11 UTC 2019

Hello Tony, 

could you please help me one more time?

your suggested workflow working for me in most of the cases. Unfortunately, 
it happens that the resigning mechanism creates whitespace in the DNSKEY and
in the log I can see a message:

dns_dnssec_findzonekeys2: error reading private key file example.com/ECDSAP
256SHA256/6786: file not found

I double checked the .private and .key also for any TYPO.

even if the signing process pass.

#dnssec-signzone -S -P -z example.com

Fetching KSK/ZSK 6786/ECDSAP256SHA256 from key repository.

example.com.signed

Whitespace is visible in dig.

from dig:

example.com.  300     IN      DNSKEY  257 3 13 nZwiBQ/QLbqqrdgh+Ailr2m1Mu2
Mjot6IZ4fzkvAwR8wws5qoJyIqUMX ppcKGFPUg63z70WLgw9oyJOyBHZlIQ==

And in dnssec-dsfromkey command to.

Could be a glitch in the openssl command, that translate some character 
wrongly as a white space after signing process?

Many thanks for any advice,

best regards, 

-- 
Smil Jeskyňka Kazatel

---------- Původní e-mail ----------
Od: Tony Finch <dot at dotat.at>
Komu: Milan Jeskynka Kazatel <KazatelM at seznam.cz>
Datum: 14. 3. 2019 17:23:38
Předmět: Re: convert Knot DNS sigantures certs to BIND format.
"Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote: 
> 
> Now I´m able to sign my zone. But in dsset file, which should contain the 
> same DS as I already have in the parent zone a have different "keytag" and

> different hash.  
> 
> In my case is "keytag" in dsset file is 43120. 

OK, referring to your previous message... 

> > My original "keytag" is 43121. 

The keytag calculation is a very simple checksum so the fact that the 
correct and incorrect tags differ by 1 is a big clue :-) The KSK flag's 
value is 1 (ZSK flags == 256, KSK flags == 257) so it looks like you 
missed out the `-f KSK` option to dnssec-keygen when making the template 
key files. 

You can fix this by changing 256 to 257 in the .key file(s) that should be 
KSKs and re-signing the zone. Double check that the key file names match 
the key tags, e.g. this is wrong: 

$ dnssec-dsfromkey Kexample.com.+013+19633.key 
example.com. IN DS 19634 13 1 32CF6889AEBABD43F2A87A59D4EC13A18A91AA0A 

(Unexpectedly, BIND does not always get upset when the keytag in a key 
file name doesn't match the computed keytag, so it's possible to get 
things slightly wrong and not notice unless you double check.) 

Tony. 
-- 
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ 
Southeast Iceland: Cyclonic, mainly northeasterly, 5 to 7, decreasing 4 at 
times. Rough or very rough. Wintry showers. Good, occasionally poor."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190328/7e6a3e40/attachment.html>