I’m running bind 9.18.10 and having a hell of a time with AWS Route53 and DNSSEC.
I’m testing dnssec-policy and have algorithms 8, 13, and 15 set. On the test domain I’m using, I wiped the old keys, deleted the DS records in the parent zone and basically started from scratch. I started named and it created new .key/.private files in the key directory. My KSK is Kericgermann.photography.+008+32686.key and I run dnssec-dsfromkey and get a DS record. I cut and paste that record in to Route53 DNSSEC config and it decodes the key tag as 22755 instead of 32686. I get a DNSviz diagram that looks like this https://dnsviz.net/d/ericgermann.photography/dnssec/ In the diagram, .photography is looking for a key tag of 22755 instead of the correct 32686 for algorithm 8. My question is Is there any way to decode the DS record and see what key tag is actually encoded in it? If it’s 32686 it’s an issue with Route53. If it’s 22755 it’s an issue with dnssec-dsfromkey. If anyone wants the DNSKEY for algorithm 8, ping me off list and I will share it with you in a private email. Thoughts? -- Eric Germann ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com LinkedIn: https://www.linkedin.com/in/ericgermann Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> Twitter: @ekgermann Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712 GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
