The new key does not sign the DNSKEY RRset. % dig csupomona.edu dnskey +rrcomm +dnssec | grep 58561 csupomona.edu. 43072 IN DNSKEY 257 3 8 AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9urWU1Tq4kc21Ca0wsFZQCB 1jU5XNXCiITwEiRboxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbibnd3Y 6oeUfZvKyqgvNlSJqpLdC5SsHN2r9lHREpO3VpE+bZDdfMys8Lb3xtNq dzjRX8a4nz0zH1JfrSQG92pP5YXhErsP//r7YCOQdwnuNsWmECWXDISD hlorYqRsHNmjFsnrCpbDkrp9J84ItPcN7DXqDofxRqGxIZ+sx7GcXecC cyAEtHrM1bZuhzwUjWiscfADWwNTfRrxRxPAgAAorXL4/dYAx/8QfFIN z2/w8Pblrs0= ; KSK; alg = RSASHA256; key id = 58561 %
Compare this with the current key. % dig csupomona.edu dnskey +rrcomm +dnssec | grep 64507 csupomona.edu. 42904 IN DNSKEY 257 3 8 AwEAAdGKMuliCXyKT1xnqZTCu0XJwJ45uDXi/OWnYbIJox7TejDTS9j9 mZqnzh/T+s8awm/qJDJASSfK1Udi58I32kZr/O+hzyPR7IH7JT61YWjP Ilf3WslOS9hmsUEEWxvu8WdmLbyHaf+wWFUMYiyvHcVcw1xPlURI0z6x P1vLl0/Oxy4qNRTARjfcuj5MmdntmB7PHR3nK+Hm8NO1Yt1yDnHTr2LB KGneJdwYUPaSXW+R8nUF98yrZghn0LjzKo3Rp7QZ446dxN8OTjo+KDyx boP5+dO+EnU7qRuYWfLjwomtI7S1sWQZbIkGhQsS2FIcC9y3SL1LYWe8 HtqBkozSED8= ; KSK; alg = RSASHA256; key id = 64507 csupomona.edu. 42904 IN RRSIG DNSKEY 8 2 43200 20140818161836 20140714163232 64507 csupomona.edu. o4bJimrnoVXVtv4eviO5xKwULVrNv0d1nGQ09yDOAJa5dls9ZIgbca2/ feCDC7xZv6r2586PUBL1kyRlxJGLXBbKz7UK6svMOrUrEYEZivWBFP3D wb6KjrtyN/8sF0ab7Y7x9plGPh8PYpU/Q3QX9XCdolZTTAUvoCQlFkgs o5jvJkl2JvlJ2aP7IbcuExpQc+M9gSU5hE7V5WZv8DrI2iwZh17fzBcm qmX9R7UBnIyvZFDKsVd4QUVLh6+XGyMU8WZWhoiApWLhaWvL3QxNBWHn FrhkZq+V3IKNxxDs2KzwAaq8JWBefFXQP6tCS77NZgR43OBIOZp/m8Zi gOJGWQ== % Make sure the DNSKEY RRset is signed with the new key then try to add the DS record to the parent. Mark In message <[email protected]>, "Paul B. Henson" writes: > We roll our KSK's for our edu domain annually in July, after which I need to > manually go to the EDUCAUSE management site to delete the old DS records for > the key no longer in use, and add the new DS records for the key just > published and scheduled to be used the following year. > > This year, after deleting the old records, I have been unable to add the new > records, when I try to add the new records into their system, it tells me > "We were unable to locate the DNSSEC data you entered in the published zone > for this domain". From what I understand, they basically do a DNSKEY lookup > for the zone, and if you are trying to enter DS records for a key that > doesn't exist, they try to keep you from shooting yourself in the foot. > However, I'm reasonably sure I am entering the correct records for the new > key that is published and does exist. > > After opening a trouble ticket, they indicate that they have received no > other complaints and as far as they know their system is working correctly. > While they continue to look into it, I was hoping to get a quick sanity > check to make sure I'm not doing something stupid :). > > As of today, there are three DNSKEY KSK's being published in our zone, > csupomona.edu: > > 43200 DNSKEY 257 3 8 ( > > AwEAAdFxrkq3ckurcqLiyaoXUTgnbNYeNqPz > > ux9X90Y4mxdgq+by/q7n+tAFL0D3mnR583f7 > > BFjRCWjNU5Txn2kkc3vCW7vy4ACzOw1svEXu > > pA+VW4SxwkzIIlXDYqA0H9rwtuh02KXCLDNX > > NMJE/gmjHUUavy99sK+fbZp/+wDIG6E/xEgi > > a/AzeXlN5ooorNl5HqHYRCl3q0tAHSiXCDmV > > gRc1mKKPfURILiaGiHMAt13duN+COtX0I3GJ > > T1t54NJ6pUWzHo0G9l4XzKB+QDXrVSjIbw+I > > 3f2AQ2X2OtOyL+8ZnDK9WxoaJF2IwUsy4Gkw > > etIyZrxbdOJegbuKQG9ocVs= > > ) ; KSK; alg = RSASHA256; key id = > 7390 > > This is the old key, that was in use from 7/2013-7/2014, and will actually > be removed tomorrow. > > 43200 DNSKEY 257 3 8 ( > > AwEAAdGKMuliCXyKT1xnqZTCu0XJwJ45uDXi > > /OWnYbIJox7TejDTS9j9mZqnzh/T+s8awm/q > > JDJASSfK1Udi58I32kZr/O+hzyPR7IH7JT61 > > YWjPIlf3WslOS9hmsUEEWxvu8WdmLbyHaf+w > > WFUMYiyvHcVcw1xPlURI0z6xP1vLl0/Oxy4q > > NRTARjfcuj5MmdntmB7PHR3nK+Hm8NO1Yt1y > > DnHTr2LBKGneJdwYUPaSXW+R8nUF98yrZghn > > 0LjzKo3Rp7QZ446dxN8OTjo+KDyxboP5+dO+ > > EnU7qRuYWfLjwomtI7S1sWQZbIkGhQsS2FIc > > C9y3SL1LYWe8HtqBkozSED8= > > ) ; KSK; alg = RSASHA256; key id = > 64507 > > This is the current key in use, originally published 7/2013, activated > 7/2014, and scheduled to be used through 7/2015. This key has DS records in > the edu zone that I added last year: > > csupomona.edu. IN DS 64507 8 1 > 4736F7DB4A69FF2A97C7CAF3848EFD0BBC42AC1C > csupomona.edu. IN DS 64507 8 2 > > 85567D63F5AA85A9CE5303776F3DBBCFCB8C82F254E55EE4ECC4279A 04CC350A > > 43200 DNSKEY 257 3 8 ( > > AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9ur > > WU1Tq4kc21Ca0wsFZQCB1jU5XNXCiITwEiRb > > oxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbib > > nd3Y6oeUfZvKyqgvNlSJqpLdC5SsHN2r9lHR > > EpO3VpE+bZDdfMys8Lb3xtNqdzjRX8a4nz0z > > H1JfrSQG92pP5YXhErsP//r7YCOQdwnuNsWm > > ECWXDISDhlorYqRsHNmjFsnrCpbDkrp9J84I > > tPcN7DXqDofxRqGxIZ+sx7GcXecCcyAEtHrM > > 1bZuhzwUjWiscfADWwNTfRrxRxPAgAAorXL4 > > /dYAx/8QfFINz2/w8Pblrs0= > > ) ; KSK; alg = RSASHA256; key id = > 58561 > > And finally, the new key I just created, for which I'm trying to add DS > records. The dsset file created by dnssec-signzone says these records should > be: > > csupomona.edu. IN DS 58561 8 1 > 68893E21C919C85530F9033B4315F68D1248CDBC > csupomona.edu. IN DS 58561 8 2 > DDA5E90D66BB90E2D10881DE0974A3DF0A3C614A6D88C1BA28B19546 1E45C8C5 > > The same records are generated by dnssec-dsfromkey. Yet, when I try to > register these DS records with EDUCAUSE, their system claims they cannot > find a matching key in our published zone. > > Does anybody see anything out of place? Fortunately, the key is not > scheduled to be used until 2015, so there's plenty of time to work this out; > unfortunately, it's gnawing at me that it's not complete yet 8-/. > > Thanks. > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
