Funky Key Tag in AWS Route53 (2)
Timothe Litt
litt at acm.org
Thu Dec 29 14:17:26 UTC 2022
On 28-Dec-22 19:40, Eric Germann wrote:
> My question is
>
> Is there any way to decode the DS record and see what key tag is
> actually encoded in it? If it’s 32686 it’s an issue with Route53. If
> it’s 22755 it’s an issue with dnssec-dsfromkey.
>
> If anyone wants the DNSKEY for algorithm 8, ping me off list and I
> will share it with you in a private email.
>
> Thoughts?
>
And because it's trivial, here are the keytags for all your keys and DS
records and how to get them. Note that you have DNSKEY 32686: installed
in the DNS, and that the installed DS is 22755.
Can't say how it got that way, but that's what is there. (Manual
processes are error-prone. That getting registrars to adopt CDS/CDNSKEY
- RFC7344 - has been so slow is unfortunate.) It's rarely the tools.
| perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short
ericgermann.photography DNSKEY); print "$_ =>
",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n"
foreach (@keys);'||
||257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= =>
*32686*||
||256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K
AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET
VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2
hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt
qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL
oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= =>
43126||
||256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+
H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584||
||256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248||
||257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075||
||257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6
tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677|
|perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short
ericgermann.photography DS); print "$_ =>
",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n"
foreach (@keys);'||
||22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9 => *22755*||
|
You can, of course, use data from your files instead of dig. Works for
both DS and DNSKEY
perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
Enjoy.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/2453146c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/2453146c/attachment-0001.sig>
More information about the bind-users
mailing list