[Opendnssec-user] wrong DS record

Benjamin Zwittnig benjamin.zwittnig at arnes.si
Mon Nov 6 09:49:20 UTC 2023


We have noticed that on AlmaLinux 9.2 with opendnssec installed from 
official repo the command 'ods-enforcer key export --ds' prints wrong DS 

[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone test1234.si
test1234.si. 3600 IN DNSKEY 257 3 13 

[root at xxxxxx ~]# ods-enforcer key export --keytype KSK --zone 
test1234.si --ds
;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2 

[root at xxxxxx ~]# ods-enforcer key export  --keytype KSK --zone 
test1234.si > Ktest1234.si.key
[root at xxxxxx ~]# dnssec-dsfromkey Ktest1234.si.key
test1234.si. IN DS 50706 13 2 

Zone is signed ok. With the DS records which is produced by opendnssec 
trust chain does not work while with the DS record produced by 
dnssec-dsfromkey works ok.


More information about the Opendnssec-user mailing list