That's helpful. Very similar to what I found a minute ago on https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/
with their example: dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net I've done this for my domain and both of my DS keys are showing up. Tried the dnssec-dsfromkey with the .key file as well and that sanity check passed. I think I'm set up all right, I'll need to check again with the domain registrar. Thanks for the assistance. On Mon, May 16, 2022 at 11:15 AM Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > If you have the public key file you can do: > > dnssec-dsfromkey Kexample.com.+013+55640.key > example.com. IN DS 55640 13 2 > CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9 > > Or you can query the auth nameserver like this: > > dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" | > dnssec-dsfromkey -f - example.com. > > Daniel > > > On 16.05.22 16:01, frank picabia wrote: > > Let's put it another way: > > > > Using tools like host or dig, can I look up my DS without it talking to > > the domain registrar? > > > > If it is always getting from the domain registrar, I can't see how to > > check the DS is set up all right purely within bind. > > > > > > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev <ana...@ripe.net > > <mailto:ana...@ripe.net>> wrote: > > > > On 16/05/2022 15:07, frank picabia wrote: > > > > Hi Frank, > > > > > I have dsset-example.com <http://dsset-example.com> showing two DS > > keys with algorithm 8. > > > I included both .key files in my DNS. Only digest 1 comes back > > > in a dig query. > > > > > > I use dnssec-signzone tool to sign the zone file. > > > > > > The domain registrar says there is a problem with the digest 2 > value. > > > It's copied directly from the dsset file. > > > > > > Not sure about the chicken and the egg in this case. When I do a > > dig, is > > > it really > > > just getting the value back from the domain registrar? > > > > > > Any suggestions on how to ensure my digest 2 DS value is set up > right? > > > > We cannot help you if we cannot see the DS records or know which > domain > > they are for. > > > > Anand > > > > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
