Hi Mike, On 10/15/19 9:23 AM, Mike Cardwell wrote: > I think you've spotted the problem. I was running: > > $ pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1 > > Which was creating a new ZSK with an algorithm of 5, when the old KSK > and ZSK were both algorithm 7 in the db.
Right, so because of the wrong algo you got the 2 sigs (1 for each "algo"). As we "upgrade" algo 5 to 7 for NSEC3 zones. > When I append "-nsec3-sha1" to the algorithm arg, it started working > fine: > > $ pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1-nsec3- > sha1 Wonderful to hear! > Not sure if this was my mistake, or a bug in the program, or a > combination, but FWIW, the reason I used "rsasha1" as my argument > instead of "rsasha1-nsec3-sha1" was because I felt like that was what > the help output was telling me to do: > > root@ned:~# pdnsutil add-zone-key help > Oct 15 08:17:55 Reading random entropy from '/dev/urandom' > Syntax: pdnsutil add-zone-key ZONE zsk|ksk [BITS] [active|inactive] > [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] It is 3 things: 1. The help output is indeed missing algo 7 2. You then created a key with the wrong algo 3. Our upgrade codepath from algo 5 to 7 is missing things I've discussed this issue with our product owner and we're planning to remove the algo 5 to algo 7 upgrade functionality in an upcoming version, where some tools will be available to fix the database. In the meantime, I've fixed the help output of pdnsutil[1]. Best regards, Pieter 1 - https://github.com/PowerDNS/pdns/pull/8420 -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users