RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)
Eric Germann
ekgermann at semperen.com
Thu Dec 29 23:37:31 UTC 2022
On Dec 29, 2022, at 16:34, Timothe Litt <litt at acm.org> wrote:
<snip>
Yup, Eric's case was a classic example. He tried to do the right thing, put in the wrong record, and the system didn't produce the expected results. To his credit, he persisted. Most people don't. A while ago there was a study (cloudflare/APNIC <https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/>) that showed that about only about 40% of people who enabled DNSSEC for their accounts successfully served DS records in their registry.
</snip>
The really annoying part is it isn’t obvious that they want the public key and not the result of dnssec-dsfromkey; they do it themselves. The annoying part is they throw an error if the key isn’t valid Base64 (think spaces or newlines), but gladly accept the DS output from dnssec-dsfromkey. Somehow or another they are getting the key tag from the incorrect DS record, because they encode again the already encoded string.
I looked in the docs for boto3 (the official API for AWS) and there appears no way to add a public key so you can’t do it programmatically.
I’ll have to pass that on to my AWS contacts. Doubt they’ll do anything but it is worth throwing it over the fence.
Again, thanks for all the help!
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/e6800e82/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221229/e6800e82/attachment.sig>
More information about the bind-users
mailing list