[Pdns-dev] DS RRs do not validate

bert hubert bert.hubert at netherlabs.nl
Wed Apr 27 17:53:24 CEST 2011

Hi James,

I can't reproduce the issue, but I have verified that powerdns does the
right thing for me. This has been added to the regression tests.

I have also verified that your nameserver indeed produces signatures that
'drill' won't validate - probably because they are wrong.

Would it be possible for you to send me your database (securely)?

This would allow me to reproduce the issue (or not, and then we can figure
out what else could be causing it).

I've attached my PGP key.

Kind regards,


On Wed, Apr 27, 2011 at 03:22:33PM +0200, bert hubert wrote:
> On Sat, Apr 23, 2011 at 02:24:30PM -0400, James Cloos wrote:
> > KSK DNSKEY = jhcloos.us IN DNSKEY 257 3 8 AwEAAdDnaycbNggeRGm1GhMhIiP33JGfvp38qlt1KZlnTMeW/4CaVMTCpIG8F2di+G2/HS/n3OBOWh2JWpCMFwkW3KSfOV4b0ZViRqPGdiha/JTXWKY45/CNZISX+oDm22pVY2Gi6K7bvQl0vOk6NHljV5ZochKBg4i27egAHxksqZe2PHr1I2pXqFFua+dCPgStpyQmtg95utYlJKyQDY5GQ1j7P8R8kSYFMl85ej4/kwW0/PNieeZL/H5o2KfI0euoGXgMDn0fiBSlEPM6H8JTuc4JWIoGOmd7hhPupMlcQLIBGFy7R1pQbuRPk4WpKTwkOEIIpHVqAtvuRkk/SK25n0U=
> > DS = jhcloos.us IN DS 23900 8 1 a00d0b5c2d72b86fc636289ce0ac9f1ef4e3830d
> Based on this DNSKEY, the 'drill' tool from NLNetLabs calculates the
> following DS:
> ; jhcloos.us.     IN DS	23900 8 1 a00d0b5c2d72b86fc636289ce0ac9f1ef4e3830d
> So at least algorithm 1 appears to be correctly calculated.
> > :; dig +dnssec +sigchase +trusted-key=./trusted-keys -t MX jhcloos.us @localhost
> > ;; RRset to chase:
> > jhcloos.us.             86400   IN      MX      10 pao.uu.jhcloos.net.
> I'll try to check everything else to see what might be going on.
> 	Bert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 2007 bytes
Desc: PGP Key 0xD2E71575.
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20110427/5257656b/attachment.key>

More information about the Pdns-dev mailing list