Yeah, that’s the problem I’m trying to solve.  I run the key thru 
dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 22755 
from the decoded DS record in the console for Route53.

That’s why I wanted to decode the DS record to see if it’s encoding it as 32686 
or 22755


> On Dec 29, 2022, at 09:17, Timothe Litt <l...@acm.org> wrote:
> 
> On 28-Dec-22 19:40, Eric Germann wrote:
>> My question is
>> 
>> Is there any way to decode the DS record and see what key tag is actually 
>> encoded in it?  If it’s 32686 it’s an issue with Route53.  If it’s 22755 
>> it’s an issue with dnssec-dsfromkey.
>> 
>> If anyone wants the DNSKEY for algorithm 8, ping me off list and I will 
>> share it with you in a private email.
>> 
>> Thoughts?
>> 
> And because it's trivial, here are the keytags for all your keys and DS 
> records and how to get them.  Note that you have DNSKEY 32686: installed in 
> the DNS, and that the installed DS is 22755.
> 
> Can't say how it got that way, but that's what is there.  (Manual processes 
> are error-prone.  That getting registrars to adopt CDS/CDNSKEY - RFC7344 - 
> has been so slow is unfortunate.)  It's rarely the tools.
> 
>  perl  -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short 
> ericgermann.photography DNSKEY); print "$_ => 
> ",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n" 
> foreach (@keys);'
> 257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt 
> xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O 
> vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 
> SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL 
> UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV 
> 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= => 32686
> 256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K 
> AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET 
> VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2 
> hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt 
> qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL 
> oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= => 43126
> 256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+ 
> H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584
> 256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248
> 257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075
> 257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6 
> tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677
> 
> perl  -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short 
> ericgermann.photography DS); print "$_ => 
> ",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n" foreach 
> (@keys);'
> 22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9 
> => 22755
> 
> You can, of course, use data from your files instead of dig.  Works for both 
> DS and DNSKEY
> 
>  perl -MNet::DNS -MNet::DNS::SEC -e' print 
> Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 
> 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
> 
> 
> 
> Enjoy.
> 
> Timothe Litt
> ACM Distinguished Engineer
> --------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
> 
> 
> 
> 

Attachment: signature.asc
Description: Message signed with OpenPGP

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to