[Pdns-users] Sending up public dnssec key to registry thru EPP
Daniel Eriksson
daniel at egensajt.se
Thu Nov 30 17:15:43 UTC 2017
Hi,
accordingly to this https://tools.ietf.org/html/rfc4034#section-5.1.3
the digest should be quote: "a 20 octet digest"
<secDNS:keyTag>27425</secDNS:keyTag>
<secDNS:alg>13</secDNS:alg>
<secDNS:digestType>2</secDNS:digestType>
<secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
</secDNS:dsData>
So the digest above, 49FD46E6C4B45C55D4AC should be a 20 octet
But where can I find this 20 octet digest in my powerdns?
It's not in pdnsutil show-zone and it's not either in the table cryptokeys
Do you know how I can calculate this digest?
/ Daniel
Den 2017-11-30 kl. 17:04, skrev Pieter Lexis:
> Hello Daniel,
>
> On Thu, 30 Nov 2017 16:23:53 +0100
> Daniel Eriksson <daniel at egensajt.se> wrote:
>
>> On a zone I get the following result from pdnsutil show-zone
>> [...]
>> Now I'm sending the following command to the IIS Epp server choosing the SHA256 digest :
>> [ ... ]
>> But this has no effect, the domain is still unsigned, am I sending up the wrong public key?
> This might be because you sent domain.se via EPP where egenblog.se is the actual domain name.
> If this is because you attempt to obfuscate data, do not do this and see our support policy[1].
>
> It looks like your zone is properly signed but that there is indeed no secure delegation yet[2]
>
> Assuming you used the right domain name in the EPP message.
> It can be that .se wants the DNSKEY and not the DS record.
> It might be that the registry refreshed its zones only e.g. every hour and your update has not passed yet.
> It might also be that the registry does some checks first and this is why it is delayed.
> Another reason is that the EPP message is wrong and the EPP response did not indicate this or was not read?
>
> Hope this helps in further debugging.
>
> Best regards,
>
> Pieter
>
> 1 - https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
> 2 - http://dnsviz.net/d/egenblog.se/WiAqKw/dnssec/
>
--
=====================
Mvh Daniel Eriksson
www.egensajt.se
031-7877050
More information about the Pdns-users
mailing list