Re: Only one DS key comes back in query

[frank picabia]

Thanks for this detailed information, Mark.

I'll blame it on the antibiotics and old age but I had never noticed the
key is actually complete in my dsset file
if I don't interpret the space as a delimiter.

So there are two ways to get the DS keys: from the dsset file while
ignoring the space between the two values of digest 2,
or by using the dnssec-dsfromkey method while querying one's DNS server.

My domain registrar has the values now and we're good.  Thanks for the
assistance.


On Wed, May 18, 2022 at 2:16 PM Mark Andrews  wrote:

> I suspect that you failed to copy the complete second record or that the
> registrar failed to handle the optional white space in the last field.
> Without you posting the contents of the dsset file and what you passed to
> the registrar there is no way to know.  There is also no way to know if it
> was miscomputed unless  we have a copy of the DNSKEY it was generated from.
>
> example.com. IN DS 28387 5 1 47145FCABDFC00DD9CDE1369FA6A456F0D196C11
> example.com. IN DS 28387 5 2
> AC92037CEB08E7AF3539D140BC3855FA32AB0055973ABC7A4FB4A49C 385E7C29
>
> The second record could be written like below and it would still be
> correct.
>
> example.com. IN DS 28387 5 2 A C 9 2 0 3 7 C E B 0 8 E 7 A F 3 5 3 9 D 1
> 4 0 B C 3 8 5 5 F A 3 2 A B 0 0 5 5 9 7 3 A B C 7 A 4 F B 4 A 4 9 C 3 8 5 E
> 7 C 2 9
>
> As for how many records there are in the dsset file that has changed over
> time.  It started out as just type 1 (SHA1), then type 1 (SHA1) and type 2
> (SHA256), and more recently just type 2 (SHA256) as the DNSSEC standards
> evolve based on changes in cryptographic best practice.  DNSSEC is
> approximately 20 years old now and computing capabilities have changed a
> lot over that period.
>
> I know computers are not infallible but dnssec-signzone has been
> generating dsset files for almost all of those 20 years now.  We would be
> getting thousands of reports of errors if it was mis-generating DS
> records.  Named itself needs to generate 10’s of thousands of DS records a
> second to perform DNSSEC validations on a busy validator and
> dnssec-signzone uses the same code to generate the DS records it prints out.
>
> Using ‘example’ is fine until something goes wrong or it is believed to
> have gone wrong.  At that point you need the actual real names.  You don’t
> go to your mechanic with a different car when you have a problem with your
> car.  Using ‘example’ is like doing that.
>
> Mark
>
>
> > On 17 May 2022, at 04:41, frank picabia  wrote:
> >
> > I've been using open source for decades.  Long enough that I rarely need
> to use lists for help.
> >
> > Here's the RFC mentioning reserved domain name use:
> https://www.rfc-editor.org/rfc/rfc2606.html
> >
> > I am ridiculed by an ISC member for using a reserved domain according to
> the purpose in the RFC and then
> > a second ISC member states I am arrogant?   I think there's a bunch of
> you that need to check your privilege!
> > Or maybe these persons are the chief whips responsible for driving
> people from the lists into paying customers?
> >
> > Check other lists.  Postfix. Apache.  Whatever.  No one ever has an
> issue when they see example.com
> > It's widely known as the boilerplate value you're leaving out of the
> equation for the moment.
> >
> > In the documentation I see this:
> >
> > Once the rndc reconfig command is issued, BIND serves a signed zone. The
> file dsset-example.com (created by dnssec-signzone when it signed the
> example.com zone) contains the DS record for the zone’s KSK. You will
> need to pass that to the administrator of the parent zone, to be placed in
> the zone.
> >
> > It seems the first value in dsset file is okay.  The documentation
> doesn't talk about the second one, and this is where
> > the problem is seen.  I see one value on the second key (digest 2) in
> dsset file, and a different value using the value
> > obtained by running something like:
> >
> > dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net
> > The digest 2 second key here seems to be what should be used with the
> domain registrar.  I'll soon find out.
> >
> >
> >
> > On Mon, May 16, 2022 at 2:54 PM Ondřej Surý  wrote:
> > Well, then don’t expect people will want to help you. If you need to
> hide the information and you need help then you should be prepared to pay
> for the support. Coming to open source list asking for help for free and
> expect other people to help you is just plain arrogant behavior. Again,
> Bert Hubert was exactly right here:
> >
> > https://berthub.eu/articles/posts/anonymous-help/
> >
> > Ondrej
> > --
> > Ondřej Surý — ISC (He/Him)
> >
> > My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
> >
> >> On 16. 5. 2022, at 19:06, frank picabia  wrote:
> >>
> >> Suppose I was working on a problem for Barclays
> >> Bank, do you suppose they would be thrilled with me posting
> >> their networking innards 

Re: Only one DS key comes back in query

[Mark Andrews]

I suspect that you failed to copy the complete second record or that the 
registrar failed to handle the optional white space in the last field.  Without 
you posting the contents of the dsset file and what you passed to the registrar 
there is no way to know.  There is also no way to know if it was miscomputed 
unless  we have a copy of the DNSKEY it was generated from.

example.com. IN DS 28387 5 1 47145FCABDFC00DD9CDE1369FA6A456F0D196C11
example.com. IN DS 28387 5 2 
AC92037CEB08E7AF3539D140BC3855FA32AB0055973ABC7A4FB4A49C 385E7C29

The second record could be written like below and it would still be correct.

example.com. IN DS 28387 5 2 A C 9 2 0 3 7 C E B 0 8 E 7 A F 3 5 3 9 D 1 4 0 B 
C 3 8 5 5 F A 3 2 A B 0 0 5 5 9 7 3 A B C 7 A 4 F B 4 A 4 9 C 3 8 5 E 7 C 2 9

As for how many records there are in the dsset file that has changed over time. 
 It started out as just type 1 (SHA1), then type 1 (SHA1) and type 2 (SHA256), 
and more recently just type 2 (SHA256) as the DNSSEC standards evolve based on 
changes in cryptographic best practice.  DNSSEC is approximately 20 years old 
now and computing capabilities have changed a lot over that period.

I know computers are not infallible but dnssec-signzone has been generating 
dsset files for almost all of those 20 years now.  We would be getting 
thousands of reports of errors if it was mis-generating DS records.  Named 
itself needs to generate 10’s of thousands of DS records a second to perform 
DNSSEC validations on a busy validator and dnssec-signzone uses the same code 
to generate the DS records it prints out.

Using ‘example’ is fine until something goes wrong or it is believed to have 
gone wrong.  At that point you need the actual real names.  You don’t go to 
your mechanic with a different car when you have a problem with your car.  
Using ‘example’ is like doing that.

Mark


> On 17 May 2022, at 04:41, frank picabia  wrote:
> 
> I've been using open source for decades.  Long enough that I rarely need to 
> use lists for help.
> 
> Here's the RFC mentioning reserved domain name use:  
> https://www.rfc-editor.org/rfc/rfc2606.html
> 
> I am ridiculed by an ISC member for using a reserved domain according to the 
> purpose in the RFC and then
> a second ISC member states I am arrogant?   I think there's a bunch of you 
> that need to check your privilege!
> Or maybe these persons are the chief whips responsible for driving people 
> from the lists into paying customers?
> 
> Check other lists.  Postfix. Apache.  Whatever.  No one ever has an issue 
> when they see example.com
> It's widely known as the boilerplate value you're leaving out of the equation 
> for the moment.
> 
> In the documentation I see this:
> 
> Once the rndc reconfig command is issued, BIND serves a signed zone. The file 
> dsset-example.com (created by dnssec-signzone when it signed the example.com 
> zone) contains the DS record for the zone’s KSK. You will need to pass that 
> to the administrator of the parent zone, to be placed in the zone.
> 
> It seems the first value in dsset file is okay.  The documentation doesn't 
> talk about the second one, and this is where
> the problem is seen.  I see one value on the second key (digest 2) in dsset 
> file, and a different value using the value
> obtained by running something like:
> 
> dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net
> The digest 2 second key here seems to be what should be used with the domain 
> registrar.  I'll soon find out.
> 
> 
> 
> On Mon, May 16, 2022 at 2:54 PM Ondřej Surý  wrote:
> Well, then don’t expect people will want to help you. If you need to hide the 
> information and you need help then you should be prepared to pay for the 
> support. Coming to open source list asking for help for free and expect other 
> people to help you is just plain arrogant behavior. Again, Bert Hubert was 
> exactly right here:
> 
> https://berthub.eu/articles/posts/anonymous-help/
> 
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
>> On 16. 5. 2022, at 19:06, frank picabia  wrote:
>> 
>> Suppose I was working on a problem for Barclays
>> Bank, do you suppose they would be thrilled with me posting
>> their networking innards for the world to see?
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this 

Re: Only one DS key comes back in query

[Matthew Pounsett]

On Mon, May 16, 2022 at 2:41 PM frank picabia  wrote:

> I've been using open source for decades.  Long enough that I rarely need
> to use lists for help.
>
> Here's the RFC mentioning reserved domain name use:
> https://www.rfc-editor.org/rfc/rfc2606.html
>

Those reservations are for testing and documentation examples.  They're not
particularly useful when requesting help for specific problems, unless
you're doing something like a search/replace on detailed query output in
order to redact it.  Even if you do that you have to be very careful not to
change things the wrong way, or it further confuses the issue.  You're much
better off just sharing the domain name you're concerned with.

If you're asking for help about a real configuration, you're going to get
limited effort back from the community if you don't provide them with
enough information to help you.  Since you're not providing DNS queries
(even redacted ones) that show the problem, that means they can't see
enough information to actually answer your questions.  Also hiding the
domain name in question means they can't check for themselves what the
contents of your zone or your parent zone are, and so they are left with
insufficient information to provide you help.  It makes matters worse that
you are using phrases that subtly suggest you may be making incorrect
assumptions, which leads people to really want to check what the real data
is.

And people are absolutely right to tell you that if you're working for such
a large, public company that they would be embarrassed by you asking for
help publicly, then they should pay for support so that they can get that
help privately.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Victoria Risk]

Hi Frank,

The use of example.com and the like on this list is provocative specifically 
because people are frustrated that they then cannot help you. It is something 
of a special situation that since you are not a regular participant here, you 
were unaware of. 

The people on this list will often go to great lengths to help people who post 
problems here, by diagnosing the domain that is having an issue. The way that 
is done is by querying the domain, perhaps closely related domains (parents, 
children, etc), looking at signatures, other fields in the response, etc. This 
very often leads quickly to an answer that helps the poster. This kind of 
active help in troubleshooting your DNS issue cannot be done if you obscure the 
domain name, and that can be frustrating for people on the list who then cannot 
help you. 

This is why it says in the list information: 
(https://lists.isc.org/mailman/listinfo/bind-users)
- If you are debugging an active issue with an externally published domain, 
providing the full domain name allows others to query it in order to help you. 
Omitting, changing, or obscuring the domain can make it harder or impossible 
for others to help you. 

Regards,

Vicky Risk

> On May 16, 2022, at 8:41 PM, frank picabia  wrote:
> 
> I've been using open source for decades.  Long enough that I rarely need to 
> use lists for help.
> 
> Here's the RFC mentioning reserved domain name use:  
> https://www.rfc-editor.org/rfc/rfc2606.html 
> 
> 
> I am ridiculed by an ISC member for using a reserved domain according to the 
> purpose in the RFC and then
> a second ISC member states I am arrogant?   I think there's a bunch of you 
> that need to check your privilege!
> Or maybe these persons are the chief whips responsible for driving people 
> from the lists into paying customers?
> 
> Check other lists.  Postfix. Apache.  Whatever.  No one ever has an issue 
> when they see example.com 
> It's widely known as the boilerplate value you're leaving out of the equation 
> for the moment.
> 
> In the documentation I see this:
> 
> Once the rndc reconfig 
> 
>  command is issued, BIND serves a signed zone. The file dsset-example.com 
>  (created by dnssec-signzone 
> 
>  when it signed the example.com  zone) contains the DS 
> record for the zone’s KSK. You will need to pass that to the administrator of 
> the parent zone, to be placed in the zone.
> 
> It seems the first value in dsset file is okay.  The documentation doesn't 
> talk about the second one, and this is where
> the problem is seen.  I see one value on the second key (digest 2) in dsset 
> file, and a different value using the value
> obtained by running something like:
> 
> dig @localhost dnskey irrashai.net  | dnssec-dsfromkey 
> -f – irrashai.net 
> The digest 2 second key here seems to be what should be used with the domain 
> registrar.  I'll soon find out.
> 
> 
> 
> On Mon, May 16, 2022 at 2:54 PM Ondřej Surý  > wrote:
> Well, then don’t expect people will want to help you. If you need to hide the 
> information and you need help then you should be prepared to pay for the 
> support. Coming to open source list asking for help for free and expect other 
> people to help you is just plain arrogant behavior. Again, Bert Hubert was 
> exactly right here:
> 
> https://berthub.eu/articles/posts/anonymous-help/ 
> 
> 
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
>> On 16. 5. 2022, at 19:06, frank picabia > > wrote:
>> 
>> Suppose I was working on a problem for Barclays
>> Bank, do you suppose they would be thrilled with me posting
>> their networking innards for the world to see?
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Fred Morris]

You walk up to me, virtually on the internet, and say "I work for Barclays 
Bank" or "I'm a prince from Nigeria" my patience is a lot larger than my 
trust...


Yes, example.com is a real thing. It's recommended for written examples in 
documentation. For some reason people think they can copy and paste from 
Stack Overflow and when real domains are utilized in examples it causes 
problems for those real domains.


On Mon, 16 May 2022, frank picabia wrote:

[...]
Check other lists.  Postfix. Apache.  Whatever.  No one ever has an issue
when they see example.com
It's widely known as the boilerplate value you're leaving out of the
equation for the moment.


Hopefully an unimportant "equation".

I don't think there's a claim here that the problem can be reproduced with 
example.com, is there? I can't find it. That would be a very good use for 
example.com, indeed.


What the OP has made clear is that they have a problem with their 
deployment, their domain. Anybody else piling on "me too"? I'm waiting; 
haven't seen it.


I've gone a few rounds with Apache, but nevermind. Let's talk about 
postfix. Crikey, they can't even be bothered to get an LE cert for the 
website and catch flak at least monthly. Honey badger don't care.


They're very clear about postconf output. If you pasted postconf output 
from the manual (or Stack Overflow) I think the response would literally 
be "you are, most def joking".


But you be you Mr. Barclay.

--

Fred Morris, internet plumber
Not associated with either BIND or Postfix except I care.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Jan-Piet Mens via bind-users]

I am ridiculed by an ISC member for using a reserved domain according to


For the record, assuming you mean me, I am not affiliated with the gold folk at
ISC.

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Jan-Piet Mens via bind-users]

Suppose I was working on a problem for Barclays Bank


In that case I would think Barclays Bank's Platinum Enterprise BIND Support
contract would cover answering such questions.

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[frank picabia]

I've been using open source for decades.  Long enough that I rarely need to
use lists for help.

Here's the RFC mentioning reserved domain name use:
https://www.rfc-editor.org/rfc/rfc2606.html

I am ridiculed by an ISC member for using a reserved domain according to
the purpose in the RFC and then
a second ISC member states I am arrogant?   I think there's a bunch of you
that need to check your privilege!
Or maybe these persons are the chief whips responsible for driving
people from the lists into paying customers?

Check other lists.  Postfix. Apache.  Whatever.  No one ever has an issue
when they see example.com
It's widely known as the boilerplate value you're leaving out of the
equation for the moment.

In the documentation I see this:

Once the rndc reconfig
> 
>  command
> is issued, BIND serves a signed zone. The file dsset-example.com (created
> by dnssec-signzone
> 
>  when
> it signed the example.com zone) contains the DS record for the zone’s
> KSK. You will need to pass that to the administrator of the parent zone, to
> be placed in the zone.


It seems the first value in dsset file is okay.  The documentation doesn't
talk about the second one, and this is where
the problem is seen.  I see one value on the second key (digest 2) in dsset
file, and a different value using the value
obtained by running something like:

dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net

The digest 2 second key here seems to be what should be used with the
domain registrar.  I'll soon find out.



On Mon, May 16, 2022 at 2:54 PM Ondřej Surý  wrote:

> Well, then don’t expect people will want to help you. If you need to hide
> the information and you need help then you should be prepared to pay for
> the support. Coming to open source list asking for help for free and expect
> other people to help you is just plain arrogant behavior. Again, Bert
> Hubert was exactly right here:
>
> https://berthub.eu/articles/posts/anonymous-help/
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> On 16. 5. 2022, at 19:06, frank picabia  wrote:
>
> Suppose I was working on a problem for Barclays
> Bank, do you suppose they would be thrilled with me posting
> their networking innards for the world to see?
>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Ondřej Surý]

Well, then don’t expect people will want to help you. If you need to hide the 
information and you need help then you should be prepared to pay for the 
support. Coming to open source list asking for help for free and expect other 
people to help you is just plain arrogant behavior. Again, Bert Hubert was 
exactly right here:

https://berthub.eu/articles/posts/anonymous-help/

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 16. 5. 2022, at 19:06, frank picabia  wrote:
> 
> Suppose I was working on a problem for Barclays
> Bank, do you suppose they would be thrilled with me posting
> their networking innards for the world to see?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[frank picabia]

Perhaps you are unaware of the use of this domain as a generic filler.

https://example.com/

I don't know why so many people assume the DNS information
will be openly shared.  Suppose I was working on a problem for Barclays
Bank, do you suppose they would be thrilled with me posting
their networking innards for the world to see?



On Mon, May 16, 2022 at 1:50 PM Jan-Piet Mens via bind-users <
bind-users@lists.isc.org> wrote:

> >The values in the file dsset-example.com generated by signing the zone
> are not good.
>
> If they are 'not good' then it's possible you are using an outdated dsset
> file. (And you are hiding domain names; I doubt example.com has been
> delegated
> to you.)
>
> dnssec-signzone creates dsset- files when signing a zone
> manually/semi-automatically. If you are signing with, say,
> autodnssec-maintain,
> then no dsset- file is created and you use dnssec-dsfromkey to determine
> the DS
> which you then submit to your parent zone.
>
> -JP
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Jan-Piet Mens via bind-users]

The values in the file dsset-example.com generated by signing the zone are not 
good.


If they are 'not good' then it's possible you are using an outdated dsset
file. (And you are hiding domain names; I doubt example.com has been delegated
to you.) 


dnssec-signzone creates dsset- files when signing a zone
manually/semi-automatically. If you are signing with, say, autodnssec-maintain,
then no dsset- file is created and you use dnssec-dsfromkey to determine the DS
which you then submit to your parent zone.

-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[frank picabia]

I think I see the problem now.  The values in the file dsset-example.com
generated by signing the zone are not good.  I believe this was the bad
value being provided as reported by the registrar.  It was mentioned
in a user's comment on the DNSSEC guide that using the dsset file
wasn't the thing to do.  Using one of the other approaches with
dnssec-dsfromkey is needed.  The values in dsset file begin the
same but it's different.


On Mon, May 16, 2022 at 11:37 AM frank picabia  wrote:

>
> That's helpful.  Very similar to what I found a minute ago on
>
> https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/
>
> with their example:
>
> dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net
>
> I've done this for my domain and both of my DS keys are showing up.  Tried
> the dnssec-dsfromkey
> with the .key file as well and that sanity check passed.  I think I'm set
> up all right,
> I'll need to check again with the domain registrar.
>
> Thanks for the assistance.
>
>
> On Mon, May 16, 2022 at 11:15 AM Daniel Stirnimann <
> daniel.stirnim...@switch.ch> wrote:
>
>> If you have the public key file you can do:
>>
>> dnssec-dsfromkey Kexample.com.+013+55640.key
>> example.com. IN DS 55640 13 2
>> CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
>>
>> Or you can query the auth nameserver like this:
>>
>> dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
>> dnssec-dsfromkey -f - example.com.
>>
>> Daniel
>>
>>
>> On 16.05.22 16:01, frank picabia wrote:
>> > Let's put it another way:
>> >
>> > Using tools like host or dig, can I look up my DS without it talking to
>> > the domain registrar?
>> >
>> > If it is always getting from the domain registrar, I can't see how to
>> > check the DS is set up all right purely within bind.
>> >
>> >
>> > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev > > > wrote:
>> >
>> > On 16/05/2022 15:07, frank picabia wrote:
>> >
>> > Hi Frank,
>> >
>> > > I have dsset-example.com  showing two
>> DS
>> > keys with algorithm 8.
>> > > I included both .key files in my DNS.  Only digest 1 comes back
>> > > in a dig query.
>> > >
>> > > I use dnssec-signzone tool to sign the zone file.
>> > >
>> > > The domain registrar says there is a problem with the digest 2
>> value.
>> > > It's copied directly from the dsset file.
>> > >
>> > > Not sure about the chicken and the egg in this case.  When I do a
>> > dig, is
>> > > it really
>> > > just getting the value back from the domain registrar?
>> > >
>> > > Any suggestions on how to ensure my digest 2 DS value is set up
>> right?
>> >
>> > We cannot help you if we cannot see the DS records or know which
>> domain
>> > they are for.
>> >
>> > Anand
>> >
>> >
>>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[frank picabia]

That's helpful.  Very similar to what I found a minute ago on
https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/

with their example:

dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net

I've done this for my domain and both of my DS keys are showing up.  Tried
the dnssec-dsfromkey
with the .key file as well and that sanity check passed.  I think I'm set
up all right,
I'll need to check again with the domain registrar.

Thanks for the assistance.


On Mon, May 16, 2022 at 11:15 AM Daniel Stirnimann <
daniel.stirnim...@switch.ch> wrote:

> If you have the public key file you can do:
>
> dnssec-dsfromkey Kexample.com.+013+55640.key
> example.com. IN DS 55640 13 2
> CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
>
> Or you can query the auth nameserver like this:
>
> dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
> dnssec-dsfromkey -f - example.com.
>
> Daniel
>
>
> On 16.05.22 16:01, frank picabia wrote:
> > Let's put it another way:
> >
> > Using tools like host or dig, can I look up my DS without it talking to
> > the domain registrar?
> >
> > If it is always getting from the domain registrar, I can't see how to
> > check the DS is set up all right purely within bind.
> >
> >
> > On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev  > > wrote:
> >
> > On 16/05/2022 15:07, frank picabia wrote:
> >
> > Hi Frank,
> >
> > > I have dsset-example.com  showing two DS
> > keys with algorithm 8.
> > > I included both .key files in my DNS.  Only digest 1 comes back
> > > in a dig query.
> > >
> > > I use dnssec-signzone tool to sign the zone file.
> > >
> > > The domain registrar says there is a problem with the digest 2
> value.
> > > It's copied directly from the dsset file.
> > >
> > > Not sure about the chicken and the egg in this case.  When I do a
> > dig, is
> > > it really
> > > just getting the value back from the domain registrar?
> > >
> > > Any suggestions on how to ensure my digest 2 DS value is set up
> right?
> >
> > We cannot help you if we cannot see the DS records or know which
> domain
> > they are for.
> >
> > Anand
> >
> >
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Daniel Stirnimann]

If you have the public key file you can do:

dnssec-dsfromkey Kexample.com.+013+55640.key
example.com. IN DS 55640 13 2
CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9

Or you can query the auth nameserver like this:

dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
dnssec-dsfromkey -f - example.com.

Daniel


On 16.05.22 16:01, frank picabia wrote:
> Let's put it another way:
> 
> Using tools like host or dig, can I look up my DS without it talking to
> the domain registrar?
> 
> If it is always getting from the domain registrar, I can't see how to
> check the DS is set up all right purely within bind.
> 
> 
> On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev  > wrote:
> 
> On 16/05/2022 15:07, frank picabia wrote:
> 
> Hi Frank,
> 
> > I have dsset-example.com  showing two DS
> keys with algorithm 8.
> > I included both .key files in my DNS.  Only digest 1 comes back
> > in a dig query.
> >
> > I use dnssec-signzone tool to sign the zone file.
> >
> > The domain registrar says there is a problem with the digest 2 value.
> > It's copied directly from the dsset file.
> >
> > Not sure about the chicken and the egg in this case.  When I do a
> dig, is
> > it really
> > just getting the value back from the domain registrar?
> >
> > Any suggestions on how to ensure my digest 2 DS value is set up right?
> 
> We cannot help you if we cannot see the DS records or know which domain
> they are for.
> 
> Anand
> 
> 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Ondřej Surý]

You don’t put DS into child zone, the DS record goes to parent zone,
so your question doesn’t make sense in this context.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 16. 5. 2022, at 16:01, frank picabia  wrote:
> 
> Let's put it another way:
> 
> Using tools like host or dig, can I look up my DS without it talking to the 
> domain registrar?
> 
> If it is always getting from the domain registrar, I can't see how to check 
> the DS is set up all right purely within bind.
> 
> 
> On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev  wrote:
> On 16/05/2022 15:07, frank picabia wrote:
> 
> Hi Frank,
> 
> > I have dsset-example.com showing two DS keys with algorithm 8.
> > I included both .key files in my DNS.  Only digest 1 comes back
> > in a dig query.
> >
> > I use dnssec-signzone tool to sign the zone file.
> >
> > The domain registrar says there is a problem with the digest 2 value.
> > It's copied directly from the dsset file.
> >
> > Not sure about the chicken and the egg in this case.  When I do a dig, is
> > it really
> > just getting the value back from the domain registrar?
> >
> > Any suggestions on how to ensure my digest 2 DS value is set up right?
> 
> We cannot help you if we cannot see the DS records or know which domain
> they are for.
> 
> Anand
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[frank picabia]

Let's put it another way:

Using tools like host or dig, can I look up my DS without it talking to the
domain registrar?

If it is always getting from the domain registrar, I can't see how to check
the DS is set up all right purely within bind.


On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev  wrote:

> On 16/05/2022 15:07, frank picabia wrote:
>
> Hi Frank,
>
> > I have dsset-example.com showing two DS keys with algorithm 8.
> > I included both .key files in my DNS.  Only digest 1 comes back
> > in a dig query.
> >
> > I use dnssec-signzone tool to sign the zone file.
> >
> > The domain registrar says there is a problem with the digest 2 value.
> > It's copied directly from the dsset file.
> >
> > Not sure about the chicken and the egg in this case.  When I do a dig, is
> > it really
> > just getting the value back from the domain registrar?
> >
> > Any suggestions on how to ensure my digest 2 DS value is set up right?
>
> We cannot help you if we cannot see the DS records or know which domain
> they are for.
>
> Anand
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Only one DS key comes back in query

[Anand Buddhdev]

On 16/05/2022 15:07, frank picabia wrote:

Hi Frank,


I have dsset-example.com showing two DS keys with algorithm 8.
I included both .key files in my DNS.  Only digest 1 comes back
in a dig query.

I use dnssec-signzone tool to sign the zone file.

The domain registrar says there is a problem with the digest 2 value.
It's copied directly from the dsset file.

Not sure about the chicken and the egg in this case.  When I do a dig, is
it really
just getting the value back from the domain registrar?

Any suggestions on how to ensure my digest 2 DS value is set up right?


We cannot help you if we cannot see the DS records or know which domain 
they are for.


Anand
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Only one DS key comes back in query

[frank picabia]

I have dsset-example.com showing two DS keys with algorithm 8.
I included both .key files in my DNS.  Only digest 1 comes back
in a dig query.

I use dnssec-signzone tool to sign the zone file.

The domain registrar says there is a problem with the digest 2 value.
It's copied directly from the dsset file.

Not sure about the chicken and the egg in this case.  When I do a dig, is
it really
just getting the value back from the domain registrar?

Any suggestions on how to ensure my digest 2 DS value is set up right?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users