<div dir="ltr"><div dir="ltr">All three is correct. Only the best would be required but keeping them all upstream helps with old clients or resolvers, who understand DNSSEC but not latest crypto.</div><div dir="ltr"><br></div><div>Kevin<br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Di., 12. März 2019 um 20:14 Uhr schrieb Asanka Gunasekara <<a href="mailto:asankag@talkup.com.au">asankag@talkup.com.au</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div id="gmail-m_887826018406715995__MailbirdStyleContent" style="font-size:10pt;font-family:Arial;color:rgb(0,0,0)">
                                        Hi David,<div><br></div><div>I added all 3 DS keys to registrar when i setup my DNSSEC settings.</div><div><br></div><div>According to your info:</div><div>Key Tag : 58353</div><div>Algorythm: <span style="font-family:Arial,Helvetica,sans-serif;font-size:13.3333px;line-height:1.5">[13] ECDSA Curve P-256 with SHA-256</span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13.3333px;line-height:1.5">Digest Type: (1/2/4)</span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13.3333px;line-height:1.5">Digest : x/y/z</span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13.3333px;line-height:1.5"><br></span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13.3333px;line-height:1.5">Hope this helps.</span></div><div><br></div><div class="gmail-m_887826018406715995mb_sig"><pre style="font-variant-ligatures:normal;padding:5px;font-family:Gotham,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.3;vertical-align:top"><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt">Kind Regards,</span><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt">Asanka Gunasekara</span><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><strong style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="color:rgb(177,21,21);font-family:arial,sans-serif;font-size:8.5pt">P</span></strong><strong style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="color:gray;font-family:arial,sans-serif;font-size:8.5pt">:</span></strong><span style="font-variant-ligatures:normal;white-space:normal;color:gray;font-family:arial,sans-serif;font-size:8.5pt"> </span><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt">1300 825 587</span><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><strong style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="color:rgb(177,21,21);font-family:arial,sans-serif;font-size:8.5pt">E</span></strong><strong style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt">: </span></strong><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt">support@<a href="http://talkup.com.au/" target="_blank">talkup.com.au</a><span style="color:rgb(166,166,166)"> </span></span><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(144,144,144);font-family:arial,sans-serif;font-size:8.5pt">| </span><strong style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="color:rgb(177,21,21);font-family:arial,sans-serif;font-size:8.5pt">W:</span></strong><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(144,144,144);font-family:arial,sans-serif;font-size:8.5pt"> </span><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt"><a class="gmail-m_887826018406715995gmail-m_8622906762729073402m_-2635113235028946856moz-txt-link-abbreviated" href="http://www.talkup.com.au/" target="_blank">www.talkup.com.au</a></span><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><strong style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="color:rgb(177,21,21);font-family:arial,sans-serif;font-size:8.5pt">Postal Address: </span></strong><span style="font-variant-ligatures:normal;white-space:normal;color:rgb(174,170,170);font-family:arial,sans-serif;font-size:8.5pt">PO Box 24, Varsity Lakes QLD 4227</span><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><br style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"><span style="font-variant-ligatures:normal;white-space:normal;color:green;font-family:arial,sans-serif;font-size:8pt">Please consider the environment before printing this e-mail</span><span style="font-family:Geneva,Helvetica,Arial,sans-serif;font-size:12px;font-variant-ligatures:normal;white-space:normal"> </span><span style="font-variant-ligatures:normal;white-space:normal;color:gray;font-family:tahoma,sans-serif;font-size:8pt">This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.</span></pre></div><blockquote class="gmail-m_887826018406715995history_container" type="cite" style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
                        <p style="color:rgb(170,170,170);margin-top:10px">On 12/03/2019 11:13:25 PM, David REYNAUD <<a href="mailto:david@w3line.fr" target="_blank">david@w3line.fr</a>> wrote:</p><div style="font-family:Arial,Helvetica,sans-serif">
<div class="gmail-m_887826018406715995WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">After enabling DNSEC for a zone, wich key should i setup/configure on the registrar database ?
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">When i do a « pdnsutil show-zone <a href="http://myzone.com" target="_blank">myzone.com</a> » we have many keys. See sample below :<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">pdnsutil show-zone <a href="http://myzone.com" target="_blank">myzone.com</a> <u></u><u></u></p>
<p class="MsoNormal">>This is a Native zone<u></u><u></u></p>
<p class="MsoNormal">>Metadata items:<u></u><u></u></p>
<p class="MsoNormal">>        API-RECTIFY     1<u></u><u></u></p>
<p class="MsoNormal">>        SOA-EDIT-API    DEFAULT<u></u><u></u></p>
<p class="MsoNormal">>Zone has NSEC semantics<u></u><u></u></p>
<p class="MsoNormal">>keys:<u></u><u></u></p>
<p class="MsoNormal">>ID = 1 (CSK), flags = 257, tag = 58353, algo = 13, bits = 256     Active ( ECDSAP256SHA256 )<u></u><u></u></p>
<p class="MsoNormal">>CSK DNSKEY = <a href="http://myzone.com" target="_blank">myzone.com</a>. IN DNSKEY 257 3 13 wwwwwwwwwwwwwwwww== ; ( ECDSAP256SHA256 )<u></u><u></u></p>
<p class="MsoNormal">>DS = <a href="http://myzone.com" target="_blank">myzone.com</a>. IN DS 58353 13 1 xxxxxxxxxxxxx ; ( SHA1 digest )<u></u><u></u></p>
<p class="MsoNormal">>DS = <a href="http://myzone.com" target="_blank">myzone.com</a>. IN DS 58353 13 2 yyyyyyyyyyyyyyyyyyy ; ( SHA256 digest )<u></u><u></u></p>
<p class="MsoNormal">>DS = <a href="http://myzone.com" target="_blank">myzone.com</a>. IN DS 58353 13 4 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz ; ( SHA-384 digest )<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Should i copy/paste the key DNSKEY (ECDSAP256SHA256) or one of the three DS (SHA1 digest, SHA256 digest, SHA-384 digest) ?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks for the help.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">David REYNAUD<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></blockquote>
                                        </div><div id="gmail-m_887826018406715995DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid rgb(211,212,222)">
        <tbody><tr>
        <td style="width:55px;padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;"></a></td>
                <td style="width:470px;padding-top:12px;color:rgb(65,66,78);font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" style="color:rgb(68,83,234)" target="_blank">www.avast.com</a>
                </td>
        </tr>
</tbody></table><a href="#m_887826018406715995_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></div>_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
</blockquote></div></div>