Only one DS key comes back in query

Victoria Risk vicky at isc.org
Tue May 17 20:21:29 UTC 2022 

Hi Frank,

The use of example.com and the like on this list is provocative specifically because people are frustrated that they then cannot help you. It is something of a special situation that since you are not a regular participant here, you were unaware of. 

The people on this list will often go to great lengths to help people who post problems here, by diagnosing the domain that is having an issue. The way that is done is by querying the domain, perhaps closely related domains (parents, children, etc), looking at signatures, other fields in the response, etc. This very often leads quickly to an answer that helps the poster. This kind of active help in troubleshooting your DNS issue cannot be done if you obscure the domain name, and that can be frustrating for people on the list who then cannot help you. 

This is why it says in the list information: (https://lists.isc.org/mailman/listinfo/bind-users)
- If you are debugging an active issue with an externally published domain, providing the full domain name allows others to query it in order to help you. Omitting, changing, or obscuring the domain can make it harder or impossible for others to help you. 

Regards,

Vicky Risk

> On May 16, 2022, at 8:41 PM, frank picabia <fpicabia at gmail.com> wrote:
> 
> I've been using open source for decades.  Long enough that I rarely need to use lists for help.
> 
> Here's the RFC mentioning reserved domain name use:  https://www.rfc-editor.org/rfc/rfc2606.html <https://www.rfc-editor.org/rfc/rfc2606.html>
> 
> I am ridiculed by an ISC member for using a reserved domain according to the purpose in the RFC and then
> a second ISC member states I am arrogant?   I think there's a bunch of you that need to check your privilege!
> Or maybe these persons are the chief whips responsible for driving people from the lists into paying customers?
> 
> Check other lists.  Postfix. Apache.  Whatever.  No one ever has an issue when they see example.com <http://example.com/>
> It's widely known as the boilerplate value you're leaving out of the equation for the moment.
> 
> In the documentation I see this:
> 
> Once the rndc reconfig <https://bind9.readthedocs.io/en/v9_18_2/manpages.html#cmdoption-rndc-arg-reconfig> command is issued, BIND serves a signed zone. The file dsset-example.com <http://dsset-example.com/> (created by dnssec-signzone <https://bind9.readthedocs.io/en/v9_18_2/manpages.html#std-iscman-dnssec-signzone> when it signed the example.com <http://example.com/> zone) contains the DS record for the zone’s KSK. You will need to pass that to the administrator of the parent zone, to be placed in the zone.
> 
> It seems the first value in dsset file is okay.  The documentation doesn't talk about the second one, and this is where
> the problem is seen.  I see one value on the second key (digest 2) in dsset file, and a different value using the value
> obtained by running something like:
> 
> dig @localhost dnskey irrashai.net <http://irrashai.net/> | dnssec-dsfromkey -f – irrashai.net <http://irrashai.net/>
> The digest 2 second key here seems to be what should be used with the domain registrar.  I'll soon find out.
> 
> 
> 
> On Mon, May 16, 2022 at 2:54 PM Ondřej Surý <ondrej at isc.org <mailto:ondrej at isc.org>> wrote:
> Well, then don’t expect people will want to help you. If you need to hide the information and you need help then you should be prepared to pay for the support. Coming to open source list asking for help for free and expect other people to help you is just plain arrogant behavior. Again, Bert Hubert was exactly right here:
> 
> https://berthub.eu/articles/posts/anonymous-help/ <https://berthub.eu/articles/posts/anonymous-help/>
> 
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> 
>> On 16. 5. 2022, at 19:06, frank picabia <fpicabia at gmail.com <mailto:fpicabia at gmail.com>> wrote:
>> 
>> Suppose I was working on a problem for Barclays
>> Bank, do you suppose they would be thrilled with me posting
>> their networking innards for the world to see?
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220517/943a214f/attachment-0001.htm>

More information about the bind-users mailing list