Yeah, that’s the problem I’m trying to solve. I run the key thru dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 22755 from the decoded DS record in the console for Route53.
That’s why I wanted to decode the DS record to see if it’s encoding it as 32686
or 22755
> On Dec 29, 2022, at 09:17, Timothe Litt <l...@acm.org> wrote:
>
> On 28-Dec-22 19:40, Eric Germann wrote:
>> My question is
>>
>> Is there any way to decode the DS record and see what key tag is actually
>> encoded in it? If it’s 32686 it’s an issue with Route53. If it’s 22755
>> it’s an issue with dnssec-dsfromkey.
>>
>> If anyone wants the DNSKEY for algorithm 8, ping me off list and I will
>> share it with you in a private email.
>>
>> Thoughts?
>>
> And because it's trivial, here are the keytags for all your keys and DS
> records and how to get them. Note that you have DNSKEY 32686: installed in
> the DNS, and that the installed DS is 22755.
>
> Can't say how it got that way, but that's what is there. (Manual processes
> are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 -
> has been so slow is unfortunate.) It's rarely the tools.
>
> perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short
> ericgermann.photography DNSKEY); print "$_ =>
> ",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n"
> foreach (@keys);'
> 257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
> xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
> vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
> SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
> UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
> 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= => 32686
> 256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K
> AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET
> VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2
> hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt
> qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL
> oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= => 43126
> 256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+
> H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584
> 256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248
> 257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075
> 257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6
> tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677
>
> perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short
> ericgermann.photography DS); print "$_ =>
> ",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n" foreach
> (@keys);'
> 22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9
> => 22755
>
> You can, of course, use data from your files instead of dig. Works for both
> DS and DNSKEY
>
> perl -MNet::DNS -MNet::DNS::SEC -e' print
> Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2
> 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
>
>
>
> Enjoy.
>
> Timothe Litt
> ACM Distinguished Engineer
> --------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
>
>
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
