Inline signing fails dnsviz test.

Dan Egli dan at newideatest.site
Mon May 10 18:30:26 UTC 2021 

On 5/10/2021 12:17 PM, Tony Finch wrote:
> Dan Egli <dan at newideatest.site> wrote:
>> Where do I get the DS record, since i'm using bind's inline signing?
> Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the
> KSK file)
>
> 	$ grep This Kcam.ac.uk.+013+32840.key
> 	; This is a key-signing key, keyid 32840, for cam.ac.uk.
> 	$ dnssec-dsfromkey -2 Kcam.ac.uk.+013+32840.key
> 	cam.ac.uk. IN DS 32840 13 2 2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85
>
> or from your DNSKEY RRset (safest to run this on your primary to be sure
> the keys aren't mangled)
>
> 	$ dig cam.ac.uk dnskey | dnssec-dsfromkey -2 -f - cam.ac.uk
> 	cam.ac.uk. IN DS 32840 13 2 2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85
>
> Tony.

Still not working for me. The dig doesn't report anything, and I don't 
HAVE a keyfile since i'm using inline signing. Or does inline signing 
still require a key to be generated? The walkthrough I was looking at 
didn't seem to indicate that.

  dig @localhost newideatest.site dnskey

; <<>> DiG 9.16.12 <<>> @localhost newideatest.site dnskey
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38832
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f9328808600478370100000060997aea2f4ce09bf11a954c (good)
;; QUESTION SECTION:
;newideatest.site.              IN      DNSKEY

;; AUTHORITY SECTION:
newideatest.site.       120     IN      SOA     newideatest.site. 
dan.newideatest.site. 5 120 240 604800 86400

;; Query time: 10 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 10 12:26:50 MDT 2021
;; MSG SIZE  rcvd: 113

So, of course dnssec-dsfromkey does't work:

  dig @localhost newideatest.site dnskey | dnssec-dsfromkey -2 -f - 
newideatest.site
dnssec-dsfromkey: fatal: no DNSKEY RR for newideatest.site in input


-- 
Dan Egli
 From my Test Server

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x11B7451DF2015959.asc
Type: application/pgp-keys
Size: 3792 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/15b04225/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/15b04225/attachment-0001.bin>

More information about the bind-users mailing list