[Opendnssec-user] wrong DS record

Mon, 06 Nov 2023 01:55:32 -0800 

Hi,
We have noticed that on AlmaLinux 9.2 with opendnssec installed from official repo the command 'ods-enforcer key export --ds' prints wrong DS record: 

[root@xxxxxx ~]# ods-enforcer key export --keytype KSK --zone test1234.si

test1234.si. 3600 IN DNSKEY 257 3 13 
VtW3wv6GauZXSJPtgQStii8C+ETalMPy9JJsMPJwcHhropu9+pMfveJr7MaC45SfiFUgOM9g/yu60wykhx/YpQ==



[root@xxxxxx ~]# ods-enforcer key export --keytype KSK --zone 
test1234.si --ds
;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2 
8fdac70eee3a63eb88f1d86fea4fc47f5ef7ed646ecda6ded741f857b862fd8b



[root@xxxxxx ~]# ods-enforcer key export  --keytype KSK --zone 
test1234.si > Ktest1234.si.key

[root@xxxxxx ~]# dnssec-dsfromkey Ktest1234.si.key

test1234.si. IN DS 50706 13 2 
83D4E968ADB95A71117E978604491291D7649FB89B097750735872E2B62BC1B8



Zone is signed ok. With the DS records which is produced by opendnssec 
trust chain does not work while with the DS record produced by 
dnssec-dsfromkey works ok.


Benjamin

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user














    











					Reply via email to