[Pdns-users] Sending up public dnssec key to registry thru EPP

Daniel Eriksson daniel at egensajt.se
Thu Nov 30 17:15:43 UTC 2017


accordingly to this https://tools.ietf.org/html/rfc4034#section-5.1.3

the digest should be quote:  "a 20 octet digest"


So the digest above, 49FD46E6C4B45C55D4AC should be a 20 octet

But where can I find this 20 octet digest in my powerdns?

It's not in pdnsutil show-zone and it's not either in the table cryptokeys

Do you know how I can calculate this digest?

/ Daniel

Den 2017-11-30 kl. 17:04, skrev Pieter Lexis:
> Hello Daniel,
> On Thu, 30 Nov 2017 16:23:53 +0100
> Daniel Eriksson <daniel at egensajt.se> wrote:
>> On a zone I get the following result from pdnsutil show-zone
>> [...]
>> Now I'm sending the following command to the IIS Epp server choosing the SHA256 digest :
>> [ ... ]
>> But this has no effect, the domain is still unsigned, am I sending up the wrong public key?
> This might be because you sent domain.se via EPP where egenblog.se is the actual domain name.
> If this is because you attempt to obfuscate data, do not do this and see our support policy[1].
> It looks like your zone is properly signed but that there is indeed no secure delegation yet[2]
> Assuming you used the right domain name in the EPP message.
> It can be that .se wants the DNSKEY and not the DS record.
> It might be that the registry refreshed its zones only e.g. every hour and your update has not passed yet.
> It might also be that the registry does some checks first and this is why it is delayed.
> Another reason is that the EPP message is wrong and the EPP response did not indicate this or was not read?
> Hope this helps in further debugging.
> Best regards,
> Pieter
> 1 - https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
> 2 - http://dnsviz.net/d/egenblog.se/WiAqKw/dnssec/

Mvh Daniel Eriksson

More information about the Pdns-users mailing list