If you have the public key file you can do: dnssec-dsfromkey Kexample.com.+013+55640.key example.com. IN DS 55640 13 2 CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
Or you can query the auth nameserver like this: dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" | dnssec-dsfromkey -f - example.com. Daniel On 16.05.22 16:01, frank picabia wrote: > Let's put it another way: > > Using tools like host or dig, can I look up my DS without it talking to > the domain registrar? > > If it is always getting from the domain registrar, I can't see how to > check the DS is set up all right purely within bind. > > > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev <ana...@ripe.net > <mailto:ana...@ripe.net>> wrote: > > On 16/05/2022 15:07, frank picabia wrote: > > Hi Frank, > > > I have dsset-example.com <http://dsset-example.com> showing two DS > keys with algorithm 8. > > I included both .key files in my DNS. Only digest 1 comes back > > in a dig query. > > > > I use dnssec-signzone tool to sign the zone file. > > > > The domain registrar says there is a problem with the digest 2 value. > > It's copied directly from the dsset file. > > > > Not sure about the chicken and the egg in this case. When I do a > dig, is > > it really > > just getting the value back from the domain registrar? > > > > Any suggestions on how to ensure my digest 2 DS value is set up right? > > We cannot help you if we cannot see the DS records or know which domain > they are for. > > Anand > > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
