[Pdns-users] Sending up public dnssec key to registry thru EPP

Thu Nov 30 15:23:53 UTC 2017

Hi all!

On a zone I get the following result from pdnsutil show-zone

ID = 3 (CSK), flags = 257, tag = 27425, algo = 13, bits = 256     Active 
( ECDSAP256SHA256 )
CSK DNSKEY = domain.se. IN DNSKEY 257 3 13 
6TPW2LtkyHxnp6seozCgy30K1de6VyjdhRj9bojnM2lnEx7mp27A0nGs/tEoIOL4zD/I34gppG0+8WCvZbUmlA== 
; ( ECDSAP256SHA256 )
DS = egenblog.se. IN DS 27425 13 1 
7d75ae2189369bc118e725001bfa86ff7af66206 ; ( SHA1 digest )
DS = egenblog.se. IN DS 27425 13 2 
ad9db84fc7ac21653489c5497c9eb46e56b362e4f52e9b7e9819eed290f06b94 ; ( 
SHA256 digest )
DS = egenblog.se. IN DS 27425 13 3 
472a9c2dc388036c326d0258030902c9ea80842d4cedb86baa58d58bb94f87ef ; ( 
GOST R 34.11-94 digest )
DS = egenblog.se. IN DS 27425 13 4 
b8b8c05fa5545fa8f2d22e319d97fc9b9e6ec124f36387ee0d42f910d777caa6e315d4cba2b16bc0b535e1a555d1482f 
; ( SHA-384 digest )

Now I'm sending the following command to the IIS Epp server choosing the 
SHA256 digest :

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
   <command>
     <update>
       <domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" 
xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
         <domain:name>domain.se</domain:name>
       </domain:update>
     </update>
     <extension>
       <secDNS:update xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.0" 
xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.0 secDNS-1.0.xsd">
         <secDNS:add>
           <secDNS:keyTag>27425</secDNS:keyTag>
           <secDNS:alg>13</secDNS:alg>
           <secDNS:digestType>2</secDNS:digestType>

<secDNS:digest>ad9db84fc7ac21653489c5497c9eb46e56b362e4f52e9b7e9819eed290f06b94</secDNS:digest>
         </secDNS:add>
       </secDNS:update>
     </extension>
     <clTRID>HJGS-20171130T145642Z-8176</clTRID>
   </command>
</epp>

But this has no effect, the domain is still unsigned, am I sending up 
the wrong public key?

Kind regards,
Daniel