[Opendnssec-user] DS records at Godaddy with .co tld

Nix Related pcfnix at gmail.com
Wed Apr 8 15:37:52 UTC 2015 

I have successfully implemented opendnssec. I have multiple domains at
GoDaddy and while all other TLDs work after inputting the results from

ods-ksmutil key ds-seen -z domain.co -x 12345

the domains with the .co TLD have an extra input field which is required.

Instead of the usual

Key Tag:
Algorithm:
Digest Type:
and
Digest:

There is one more required field called Key Data Alg in which the tool-tip
states:
"The key data algorithm determines the method used for encrypting the
public key. Values must be an integer between 0 and 255 and must match the
server."

Over at this link

https://www.edge-cloud.net/2014/06/practical-guide-dns-based-authentication-named-entities-dane/

In the comments section at the bottom, Christian Elsen says:

"Here is what these fields mean along with possible values:
– flags: 256 for Zone Signing Keys (ZSK), 257 for Key Signing Keys (KSK)
You want 257 for the long-term Key Signing Key in this case
– protocol: always 3 to signify DNSSEC
– key data alg: 5 for RSA with SHA1 (currently the only specified choice)
– public key: base64 format of the public key (either ZSK or KSK)"

and

"You can also lookup the correct values via “dig type48 examples.com”
against your domain. "

In the specifics of
https://support.godaddy.com/help/article/6114/about-self-managed-dnssec
titled About Self-Managed DNSSEC it seems to be missing the information
regarding this required Key Data Alg: input field in their DS form.

"ods-ksmutil key export --zone domain.co --verbose" reveals:

domain.co. 3600    IN      DNSKEY  257 3 8
AwEAAc69iKpMRQCV53HoqII8gP+TO6/XEiB80ydhhJSC8Nfqz07KdlGpZIR5pgIN6JcAldXnlVgYjpoOO9eFpZfKtRR994Bao+6BNhkNWcZYESJnfNCEL3Vnkdl2qLNeyIwGBqWPjYSfpFEfiaSePBCuX+7zn8F9d14Q9Ni0jgw1v4uIi4q6dh7Zgg5WC7LURt4kPwOMphANkikL02zGzO/QwdzGRyX5R5sUL4yn8gUrBEeMsn3RI06Z83yS8BoEGcBJ0PitciqILNK0PkPwg9c3FqERVpt202evVMBPlIvCPn5Y/nXMDN18Yy84982W9oRYf8xVU89qgdrdzh0ZJr4u5Cs=
;{id = 65105 (ksk), size = 2048b}

GoDaddy's support was of no help.

The possibilities for Key Data Alg: are 1,2,3,5,6,7,8,10,12

I tried all of them and received a momentary failure email.

Regards,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150408/8b52040e/attachment.htm>

More information about the Opendnssec-user mailing list