Only one DS key comes back in query

frank picabia fpicabia at gmail.com
Mon May 16 14:37:25 UTC 2022 

That's helpful.  Very similar to what I found a minute ago on
https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/

with their example:

dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net

I've done this for my domain and both of my DS keys are showing up.  Tried
the dnssec-dsfromkey
with the .key file as well and that sanity check passed.  I think I'm set
up all right,
I'll need to check again with the domain registrar.

Thanks for the assistance.


On Mon, May 16, 2022 at 11:15 AM Daniel Stirnimann <
daniel.stirnimann at switch.ch> wrote:

> If you have the public key file you can do:
>
> dnssec-dsfromkey Kexample.com.+013+55640.key
> example.com. IN DS 55640 13 2
> CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
>
> Or you can query the auth nameserver like this:
>
> dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
> dnssec-dsfromkey -f - example.com.
>
> Daniel
>
>
> On 16.05.22 16:01, frank picabia wrote:
> > Let's put it another way:
> >
> > Using tools like host or dig, can I look up my DS without it talking to
> > the domain registrar?
> >
> > If it is always getting from the domain registrar, I can't see how to
> > check the DS is set up all right purely within bind.
> >
> >
> > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev <anandb at ripe.net
> > <mailto:anandb at ripe.net>> wrote:
> >
> >     On 16/05/2022 15:07, frank picabia wrote:
> >
> >     Hi Frank,
> >
> >     > I have dsset-example.com <http://dsset-example.com> showing two DS
> >     keys with algorithm 8.
> >     > I included both .key files in my DNS.  Only digest 1 comes back
> >     > in a dig query.
> >     >
> >     > I use dnssec-signzone tool to sign the zone file.
> >     >
> >     > The domain registrar says there is a problem with the digest 2
> value.
> >     > It's copied directly from the dsset file.
> >     >
> >     > Not sure about the chicken and the egg in this case.  When I do a
> >     dig, is
> >     > it really
> >     > just getting the value back from the domain registrar?
> >     >
> >     > Any suggestions on how to ensure my digest 2 DS value is set up
> right?
> >
> >     We cannot help you if we cannot see the DS records or know which
> domain
> >     they are for.
> >
> >     Anand
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220516/e840f1a6/attachment-0001.htm>

More information about the bind-users mailing list