Inline signing fails dnsviz test.
Dan Egli
dan at newideatest.site
Mon May 10 18:30:26 UTC 2021
On 5/10/2021 12:17 PM, Tony Finch wrote:
> Dan Egli <dan at newideatest.site> wrote:
>> Where do I get the DS record, since i'm using bind's inline signing?
> Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the
> KSK file)
>
> $ grep This Kcam.ac.uk.+013+32840.key
> ; This is a key-signing key, keyid 32840, for cam.ac.uk.
> $ dnssec-dsfromkey -2 Kcam.ac.uk.+013+32840.key
> cam.ac.uk. IN DS 32840 13 2 2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85
>
> or from your DNSKEY RRset (safest to run this on your primary to be sure
> the keys aren't mangled)
>
> $ dig cam.ac.uk dnskey | dnssec-dsfromkey -2 -f - cam.ac.uk
> cam.ac.uk. IN DS 32840 13 2 2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85
>
> Tony.
Still not working for me. The dig doesn't report anything, and I don't
HAVE a keyfile since i'm using inline signing. Or does inline signing
still require a key to be generated? The walkthrough I was looking at
didn't seem to indicate that.
dig @localhost newideatest.site dnskey
; <<>> DiG 9.16.12 <<>> @localhost newideatest.site dnskey
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38832
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f9328808600478370100000060997aea2f4ce09bf11a954c (good)
;; QUESTION SECTION:
;newideatest.site. IN DNSKEY
;; AUTHORITY SECTION:
newideatest.site. 120 IN SOA newideatest.site.
dan.newideatest.site. 5 120 240 604800 86400
;; Query time: 10 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 10 12:26:50 MDT 2021
;; MSG SIZE rcvd: 113
So, of course dnssec-dsfromkey does't work:
dig @localhost newideatest.site dnskey | dnssec-dsfromkey -2 -f -
newideatest.site
dnssec-dsfromkey: fatal: no DNSKEY RR for newideatest.site in input
--
Dan Egli
From my Test Server
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x11B7451DF2015959.asc
Type: application/pgp-keys
Size: 3792 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/15b04225/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/15b04225/attachment-0001.bin>
More information about the bind-users
mailing list