Yeah, that’s the problem I’m trying to solve. I run the key thru dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 22755 from the decoded DS record in the console for Route53.
That’s why I wanted to decode the DS record to see if it’s encoding it as 32686 or 22755 > On Dec 29, 2022, at 09:17, Timothe Litt <l...@acm.org> wrote: > > On 28-Dec-22 19:40, Eric Germann wrote: >> My question is >> >> Is there any way to decode the DS record and see what key tag is actually >> encoded in it? If it’s 32686 it’s an issue with Route53. If it’s 22755 >> it’s an issue with dnssec-dsfromkey. >> >> If anyone wants the DNSKEY for algorithm 8, ping me off list and I will >> share it with you in a private email. >> >> Thoughts? >> > And because it's trivial, here are the keytags for all your keys and DS > records and how to get them. Note that you have DNSKEY 32686: installed in > the DNS, and that the installed DS is 22755. > > Can't say how it got that way, but that's what is there. (Manual processes > are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 - > has been so slow is unfortunate.) It's rarely the tools. > > perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short > ericgermann.photography DNSKEY); print "$_ => > ",Net::DNS::RR->new("ericgermann.photography. DNSKEY $_")->keytag,"\n" > foreach (@keys);' > 257 3 8 AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt > xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O > vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1 > SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL > UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV > 4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM= => 32686 > 256 3 8 AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K > AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET > VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2 > hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt > qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL > oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU= => 43126 > 256 3 13 bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+ > H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584 > 256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= => 48248 > 257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= => 13075 > 257 3 13 DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6 > tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677 > > perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag +short > ericgermann.photography DS); print "$_ => > ",Net::DNS::RR->new("ericgermann.photography. DS $_")->keytag,"\n" foreach > (@keys);' > 22755 8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9 > => 22755 > > You can, of course, use data from your files instead of dig. Works for both > DS and DNSKEY > > perl -MNet::DNS -MNet::DNS::SEC -e' print > Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 > 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"' > > > > Enjoy. > > Timothe Litt > ACM Distinguished Engineer > -------------------------- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > > > >
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users