RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

Mark Andrews marka at isc.org
Fri Dec 30 00:30:07 UTC 2022 

Valid base64 includes spaces and new lines. Poorly written record parsers reject valid records. 

-- 
Mark Andrews

> On 30 Dec 2022, at 10:38, Eric Germann via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
> 
> On Dec 29, 2022, at 16:34, Timothe Litt <litt at acm.org> wrote:
> 
> <snip>
> 
> Yup, Eric's case was a classic example.  He tried to do the right thing, put in the wrong record, and the system didn't produce the expected results.  To his credit, he persisted.  Most people don't.  A while ago there was a study (cloudflare/APNIC) that showed that about only about 40% of people who enabled DNSSEC for their accounts successfully served DS records in their registry.
> 
> </snip>
> 
> The really annoying part is it isn’t obvious that they want the public key and not the result of dnssec-dsfromkey; they do it themselves.  The annoying part is they throw an error if the key isn’t valid Base64 (think spaces or newlines), but gladly accept the DS output from dnssec-dsfromkey.  Somehow or another they are getting the key tag from the incorrect DS  record, because they encode again the already encoded string.
> 
> I looked in the docs for boto3 (the official API for AWS) and there appears no way to add a public key so you can’t do it programmatically.
> 
> I’ll have to pass that on to my AWS contacts.  Doubt they’ll do anything but it is worth throwing it over the fence.
> 
> Again, thanks for all the help!
> 
> Eric
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221230/5021eadf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/octet-stream
Size: 833 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221230/5021eadf/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221230/5021eadf/attachment-0001.htm>

More information about the bind-users mailing list