Thanks for this detailed information, Mark.
I'll blame it on the antibiotics and old age but I had never noticed the
key is actually complete in my dsset file
if I don't interpret the space as a delimiter.
So there are two ways to get the DS keys: from the dsset file while
ignoring the space
I suspect that you failed to copy the complete second record or that the
registrar failed to handle the optional white space in the last field. Without
you posting the contents of the dsset file and what you passed to the registrar
there is no way to know. There is also no way to know if it
On Mon, May 16, 2022 at 2:41 PM frank picabia wrote:
> I've been using open source for decades. Long enough that I rarely need
> to use lists for help.
>
> Here's the RFC mentioning reserved domain name use:
> https://www.rfc-editor.org/rfc/rfc2606.html
>
Those reservations are for testing and
Hi Frank,
The use of example.com and the like on this list is provocative specifically
because people are frustrated that they then cannot help you. It is something
of a special situation that since you are not a regular participant here, you
were unaware of.
The people on this list will
You walk up to me, virtually on the internet, and say "I work for Barclays
Bank" or "I'm a prince from Nigeria" my patience is a lot larger than my
trust...
Yes, example.com is a real thing. It's recommended for written examples in
documentation. For some reason people think they can copy and
I am ridiculed by an ISC member for using a reserved domain according to
For the record, assuming you mean me, I am not affiliated with the gold folk at
ISC.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
Suppose I was working on a problem for Barclays Bank
In that case I would think Barclays Bank's Platinum Enterprise BIND Support
contract would cover answering such questions.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the
I've been using open source for decades. Long enough that I rarely need to
use lists for help.
Here's the RFC mentioning reserved domain name use:
https://www.rfc-editor.org/rfc/rfc2606.html
I am ridiculed by an ISC member for using a reserved domain according to
the purpose in the RFC and then
Well, then don’t expect people will want to help you. If you need to hide the
information and you need help then you should be prepared to pay for the
support. Coming to open source list asking for help for free and expect other
people to help you is just plain arrogant behavior. Again, Bert
Perhaps you are unaware of the use of this domain as a generic filler.
https://example.com/
I don't know why so many people assume the DNS information
will be openly shared. Suppose I was working on a problem for Barclays
Bank, do you suppose they would be thrilled with me posting
their
The values in the file dsset-example.com generated by signing the zone are not
good.
If they are 'not good' then it's possible you are using an outdated dsset
file. (And you are hiding domain names; I doubt example.com has been delegated
to you.)
dnssec-signzone creates dsset- files when
I think I see the problem now. The values in the file dsset-example.com
generated by signing the zone are not good. I believe this was the bad
value being provided as reported by the registrar. It was mentioned
in a user's comment on the DNSSEC guide that using the dsset file
wasn't the thing
That's helpful. Very similar to what I found a minute ago on
https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/
with their example:
dig @localhost dnskey irrashai.net | dnssec-dsfromkey -f – irrashai.net
I've done this for my domain and both of my DS keys
If you have the public key file you can do:
dnssec-dsfromkey Kexample.com.+013+55640.key
example.com. IN DS 55640 13 2
CF681BA4D66B41912B4DC525ADFC948218EC3DBA724F266D25BD1702BE8A8BA9
Or you can query the auth nameserver like this:
dig @localhost example.com. DNSKEY | egrep "IN\sDNSKEY\s257" |
You don’t put DS into child zone, the DS record goes to parent zone,
so your question doesn’t make sense in this context.
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working
Let's put it another way:
Using tools like host or dig, can I look up my DS without it talking to the
domain registrar?
If it is always getting from the domain registrar, I can't see how to check
the DS is set up all right purely within bind.
On Mon, May 16, 2022 at 10:16 AM Anand Buddhdev
On 16/05/2022 15:07, frank picabia wrote:
Hi Frank,
I have dsset-example.com showing two DS keys with algorithm 8.
I included both .key files in my DNS. Only digest 1 comes back
in a dig query.
I use dnssec-signzone tool to sign the zone file.
The domain registrar says there is a problem
I have dsset-example.com showing two DS keys with algorithm 8.
I included both .key files in my DNS. Only digest 1 comes back
in a dig query.
I use dnssec-signzone tool to sign the zone file.
The domain registrar says there is a problem with the digest 2 value.
It's copied directly from the
18 matches
Mail list logo
