Only one DS key comes back in query
Daniel Stirnimann
daniel.stirnimann at switch.ch
Mon May 16 14:15:21 UTC 2022
If you have the public key file you can do:
dnssec-dsfromkey Kexample.com.+013+55640.key
example.com. IN DS 55640 13 2
CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
Or you can query the auth nameserver like this:
dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
dnssec-dsfromkey -f - example.com.
Daniel
On 16.05.22 16:01, frank picabia wrote:
> Let's put it another way:
>
> Using tools like host or dig, can I look up my DS without it talking to
> the domain registrar?
>
> If it is always getting from the domain registrar, I can't see how to
> check the DS is set up all right purely within bind.
>
>
> On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev <anandb at ripe.net
> <mailto:anandb at ripe.net>> wrote:
>
> On 16/05/2022 15:07, frank picabia wrote:
>
> Hi Frank,
>
> > I have dsset-example.com <http://dsset-example.com> showing two DS
> keys with algorithm 8.
> > I included both .key files in my DNS. Only digest 1 comes back
> > in a dig query.
> >
> > I use dnssec-signzone tool to sign the zone file.
> >
> > The domain registrar says there is a problem with the digest 2 value.
> > It's copied directly from the dsset file.
> >
> > Not sure about the chicken and the egg in this case. When I do a
> dig, is
> > it really
> > just getting the value back from the domain registrar?
> >
> > Any suggestions on how to ensure my digest 2 DS value is set up right?
>
> We cannot help you if we cannot see the DS records or know which domain
> they are for.
>
> Anand
>
>
More information about the bind-users
mailing list