[Opendnssec-user] wrong DS record
Benjamin Zwittnig
benjamin.zwittnig at arnes.si
Mon Nov 6 09:49:20 UTC 2023
Hi,
We have noticed that on AlmaLinux 9.2 with opendnssec installed from
official repo the command 'ods-enforcer key export --ds' prints wrong DS
record:
[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone test1234.si
test1234.si. 3600 IN DNSKEY 257 3 13
VtW3wv6GauZXSJPtgQStii8C+ETalMPy9JJsMPJwcHhropu9+pMfveJr7MaC45SfiFUgOM9g/yu60wykhx/YpQ==
[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone
test1234.si --ds
;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2
8fdac70eee3a63eb88f1d86fea4fc47f5ef7ed646ecda6ded741f857b862fd8b
[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone
test1234.si > Ktest1234.si.key
[root at xxxxxx ~]# dnssec-dsfromkey Ktest1234.si.key
test1234.si. IN DS 50706 13 2
83D4E968ADB95A71117E978604491291D7649FB89B097750735872E2B62BC1B8
Zone is signed ok. With the DS records which is produced by opendnssec
trust chain does not work while with the DS record produced by
dnssec-dsfromkey works ok.
Benjamin
More information about the Opendnssec-user
mailing list