Funky Key Tag in AWS Route53

[Eric Germann]

I’m running bind 9.18.10 and having a hell of a time with AWS Route53 and DNSSEC.

I’m testing dnssec-policy and have algorithms 8, 13, and 15 set.  On the test domain I’m using, I wiped the old keys, deleted the DS records in the parent zone and basically started from scratch.

I started named and it created new .key/.private files in the key directory.  My KSK is Kericgermann.photography.+008+32686.key and I run dnssec-dsfromkey and get a DS record.  I cut and paste that record in to Route53 DNSSEC config and it decodes the key tag as 22755 instead of 32686.

I get a DNSviz diagram that looks like this https://dnsviz.net/d/ericgermann.photography/dnssec/

In the diagram, .photography is looking for a key tag of 22755 instead of the correct 32686 for algorithm 8.

My question is

Is there any way to decode the DS record and see what key tag is actually encoded in it?  If it’s 32686 it’s an issue with Route53.  If it’s 22755 it’s an issue with dnssec-dsfromkey.

If anyone wants the DNSKEY for algorithm 8, ping me off list and I will share it with you in a private email.

Thoughts?


--
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/>
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221228/7ac412b9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221228/7ac412b9/attachment.sig>