From benjamin.zwittnig at arnes.si Mon Nov 6 09:49:20 2023 From: benjamin.zwittnig at arnes.si (Benjamin Zwittnig) Date: Mon, 6 Nov 2023 10:49:20 +0100 Subject: [Opendnssec-user] wrong DS record Message-ID: Hi, We have noticed that on AlmaLinux 9.2 with opendnssec installed from official repo the command 'ods-enforcer key export --ds' prints wrong DS record: [root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone test1234.si test1234.si. 3600 IN DNSKEY 257 3 13 VtW3wv6GauZXSJPtgQStii8C+ETalMPy9JJsMPJwcHhropu9+pMfveJr7MaC45SfiFUgOM9g/yu60wykhx/YpQ== [root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone test1234.si --ds ;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2 8fdac70eee3a63eb88f1d86fea4fc47f5ef7ed646ecda6ded741f857b862fd8b [root at xxxxxx ~]# ods-enforcer key export? --keytype KSK --zone test1234.si > Ktest1234.si.key [root at xxxxxx ~]# dnssec-dsfromkey Ktest1234.si.key test1234.si. IN DS 50706 13 2 83D4E968ADB95A71117E978604491291D7649FB89B097750735872E2B62BC1B8 Zone is signed ok. With the DS records which is produced by opendnssec trust chain does not work while with the DS record produced by dnssec-dsfromkey works ok. Benjamin