Re: Inline signing fails dnsviz test.

Mon, 10 May 2021 11:31:32 -0700 

On 5/10/2021 12:17 PM, Tony Finch wrote:

Dan Egli <d...@newideatest.site> wrote:

Where do I get the DS record, since i'm using bind's inline signing?

Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the
KSK file)

        $ grep This Kcam.ac.uk.+013+32840.key
        ; This is a key-signing key, keyid 32840, for cam.ac.uk.
        $ dnssec-dsfromkey -2 Kcam.ac.uk.+013+32840.key
        cam.ac.uk. IN DS 32840 13 2 
2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85

or from your DNSKEY RRset (safest to run this on your primary to be sure
the keys aren't mangled)

        $ dig cam.ac.uk dnskey | dnssec-dsfromkey -2 -f - cam.ac.uk
        cam.ac.uk. IN DS 32840 13 2 
2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85

Tony.
Still not working for me. The dig doesn't report anything, and I don't HAVE a keyfile since i'm using inline signing. Or does inline signing still require a key to be generated? The walkthrough I was looking at didn't seem to indicate that. 

 dig @localhost newideatest.site dnskey

; <<>> DiG 9.16.12 <<>> @localhost newideatest.site dnskey
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38832
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f9328808600478370100000060997aea2f4ce09bf11a954c (good)
;; QUESTION SECTION:
;newideatest.site.              IN      DNSKEY

;; AUTHORITY SECTION:
newideatest.site.       120     IN      SOA     newideatest.site. dan.newideatest.site. 5 120 240 604800 86400 

;; Query time: 10 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 10 12:26:50 MDT 2021
;; MSG SIZE  rcvd: 113

So, of course dnssec-dsfromkey does't work:
 dig @localhost newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site 
dnssec-dsfromkey: fatal: no DNSKEY RR for newideatest.site in input


--
Dan Egli
From my Test Server

Attachment: OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to