From benjamin.zwittnig at arnes.si  Mon Nov  6 09:49:20 2023
From: benjamin.zwittnig at arnes.si (Benjamin Zwittnig)
Date: Mon, 6 Nov 2023 10:49:20 +0100
Subject: [Opendnssec-user] wrong DS record
Message-ID: <e1cc724d-68cc-4461-9841-9f3e515b3dea@arnes.si>

Hi,

We have noticed that on AlmaLinux 9.2 with opendnssec installed from 
official repo the command 'ods-enforcer key export --ds' prints wrong DS 
record:

[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone test1234.si
test1234.si. 3600 IN DNSKEY 257 3 13 
VtW3wv6GauZXSJPtgQStii8C+ETalMPy9JJsMPJwcHhropu9+pMfveJr7MaC45SfiFUgOM9g/yu60wykhx/YpQ==

[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone 
test1234.si --ds
;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2 
8fdac70eee3a63eb88f1d86fea4fc47f5ef7ed646ecda6ded741f857b862fd8b

[root at xxxxxx ~]# ods-enforcer key export? --keytype KSK --zone 
test1234.si > Ktest1234.si.key
[root at xxxxxx ~]# dnssec-dsfromkey Ktest1234.si.key
test1234.si. IN DS 50706 13 2 
83D4E968ADB95A71117E978604491291D7649FB89B097750735872E2B62BC1B8

Zone is signed ok. With the DS records which is produced by opendnssec 
trust chain does not work while with the DS record produced by 
dnssec-dsfromkey works ok.

Benjamin