Funky Key Tag in AWS Route53
Timothe Litt
litt at acm.org
Thu Dec 29 13:43:00 UTC 2022
On 28-Dec-22 19:40, Eric Germann wrote:
> My question is
>
> Is there any way to decode the DS record and see what key tag is
> actually encoded in it? If it’s 32686 it’s an issue with Route53. If
> it’s 22755 it’s an issue with dnssec-dsfromkey.
>
> If anyone wants the DNSKEY for algorithm 8, ping me off list and I
> will share it with you in a private email.
>
> Thoughts?
>
>
Perhaps you have TTL issues.
dnssec-dsfromkey and dnsviz are both accurate.
The keytag is visible in the DS record. No decoding needed First field
after "DS"|
|
|ericgermann.photography. 3600 IN DS _22755___8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9||
|
See also Perl Net::DNS::SEC. Here are some one-liners from your domain
that print the keytag from DS and DNSKEY records.
| perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9")->keytag,"\n"'_
22755_
|
|perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DNSKEY 256 3 15
9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ=")->keytag,"\n"'||
|_|48248|_|
|
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/a3c22ad1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/a3c22ad1/attachment.sig>
More information about the bind-users
mailing list