[Pdns-users] Sending up public dnssec key to registry thru EPP

Pieter Lexis pieter.lexis at powerdns.com
Thu Nov 30 16:04:15 UTC 2017

Hello Daniel,

On Thu, 30 Nov 2017 16:23:53 +0100
Daniel Eriksson <daniel at egensajt.se> wrote:

> On a zone I get the following result from pdnsutil show-zone
> [...]
> Now I'm sending the following command to the IIS Epp server choosing the SHA256 digest :
> [ ... ]
> But this has no effect, the domain is still unsigned, am I sending up the wrong public key?

This might be because you sent domain.se via EPP where egenblog.se is the actual domain name.
If this is because you attempt to obfuscate data, do not do this and see our support policy[1].

It looks like your zone is properly signed but that there is indeed no secure delegation yet[2]

Assuming you used the right domain name in the EPP message.
It can be that .se wants the DNSKEY and not the DS record.
It might be that the registry refreshed its zones only e.g. every hour and your update has not passed yet.
It might also be that the registry does some checks first and this is why it is delayed.
Another reason is that the EPP message is wrong and the EPP response did not indicate this or was not read?

Hope this helps in further debugging.

Best regards,


1 - https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
2 - http://dnsviz.net/d/egenblog.se/WiAqKw/dnssec/

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list