> I don't know why but the created new digest hash didn't match. > The technique is to use same digest algorithm type and create a digest > of the matching DNSKEY. In this case the resulting digest didn't match. > (New one was six bytes shorter.)
I did this wrong. A little cleanup below. I don't know why the digests don't match. > I will stop here. I just assume something is wrong with the crypto (in > bind9 or its dependencies). ;; validating ch/DNSKEY: JCR3: dns_rdata_tostruct result 0 ;; validating ch/DNSKEY: JCR24: old key tag 55966 ;; validating ch/DNSKEY: JCR25: old algorithm 13 ;; validating ch/DNSKEY: JCR22: old ds length 32 ;; validating ch/DNSKEY: JCR23: old digest CEB479416E4EFD770800434BE1245E1B10D4CF018255C11D8544C448FA032B32 ;; validating ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating ch/DNSKEY: JCR9: algorithm 13 13 ;; validating ch/DNSKEY: JCR8: keytag 55966 18757 ;; validating ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating ch/DNSKEY: JCR9: algorithm 13 13 ;; validating ch/DNSKEY: JCR8: keytag 55966 55966 ;; validating ch/DNSKEY: JCR10: dns_ds_buildrdata result 0 ;; validating ch/DNSKEY: JCR14: new type 43 ;; validating ch/DNSKEY: JCR15: old length 36 ;; validating ch/DNSKEY: JCR16: new length 36 ;; validating ch/DNSKEY: JCR17: new digest type 2 ;; validating ch/DNSKEY: JCR18: new key tag 55966 ;; validating ch/DNSKEY: JCR19: new algorithm 13 ;; validating ch/DNSKEY: JCR20: new ds length 32 ;; validating ch/DNSKEY: JCR21: new digest CEB479416E4EFD770800434BE1245E1B10D4CF018255C11D8544C448FA032B32 ;; validating ch/DNSKEY: JCR13: dns_rdata_compare result 0 ;; validating ch/DNSKEY: JCR11: dns_rdata_compare ;; validating ch/DNSKEY: JCR2: keyfromds result 0 ;; validating ch/DNSKEY: JCR: result 0 ;; validating protonmail.ch/DNSKEY: JCR3: dns_rdata_tostruct result 0 ;; validating protonmail.ch/DNSKEY: JCR24: old key tag 27196 ;; validating protonmail.ch/DNSKEY: JCR25: old algorithm 8 ;; validating protonmail.ch/DNSKEY: JCR22: old ds length 48 ;; validating protonmail.ch/DNSKEY: JCR23: old digest E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E ;; validating protonmail.ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating protonmail.ch/DNSKEY: JCR9: algorithm 8 8 ;; validating protonmail.ch/DNSKEY: JCR8: keytag 27196 6753 ;; validating protonmail.ch/DNSKEY: JCR7: dns_rdata_tostruct result 0 ;; validating protonmail.ch/DNSKEY: JCR9: algorithm 8 8 ;; validating protonmail.ch/DNSKEY: JCR8: keytag 27196 27196 ;; validating protonmail.ch/DNSKEY: JCR10: dns_ds_buildrdata result 0 ;; validating protonmail.ch/DNSKEY: JCR14: new type 43 ;; validating protonmail.ch/DNSKEY: JCR15: old length 52 ;; validating protonmail.ch/DNSKEY: JCR16: new length 52 ;; validating protonmail.ch/DNSKEY: JCR17: new digest type 4 ;; validating protonmail.ch/DNSKEY: JCR18: new key tag 27196 ;; validating protonmail.ch/DNSKEY: JCR19: new algorithm 8 ;; validating protonmail.ch/DNSKEY: JCR20: new ds length 48 ;; validating protonmail.ch/DNSKEY: JCR21: new digest 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648 ;; validating protonmail.ch/DNSKEY: JCR13: dns_rdata_compare result 1 ;; validating protonmail.ch/DNSKEY: JCR12: dns_rdata_compare else ;; validating protonmail.ch/DNSKEY: JCR2: keyfromds result 29 ;; validating protonmail.ch/DNSKEY: JCR: result 29
