[Pdns-users] DNSSEC, wich key for the registrar

Asanka Gunasekara asankag at talkup.com.au
Tue Mar 12 19:13:38 UTC 2019

Hi David,

I added all 3 DS keys to registrar when i setup my DNSSEC settings.

According to your info:
Key Tag : 58353
Algorythm: [13] ECDSA Curve P-256 with SHA-256
Digest Type: (1/2/4)
Digest : x/y/z

Hope this helps.

Kind Regards,
Asanka Gunasekara

P: 1300 825 587
E: support at talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/]
Postal Address: PO Box 24, Varsity Lakes QLD 4227

Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.
On 12/03/2019 11:13:25 PM, David REYNAUD <david at w3line.fr> wrote:
After enabling DNSEC for a zone, wich key should i setup/configure on the registrar database ?
When i do a « pdnsutil show-zone myzone.com » we have many keys. See sample below :
pdnsutil show-zone myzone.com 
>This is a Native zone
>Metadata items:
>        API-RECTIFY     1
>Zone has NSEC semantics
>ID = 1 (CSK), flags = 257, tag = 58353, algo = 13, bits = 256     Active ( ECDSAP256SHA256 )
>CSK DNSKEY = myzone.com. IN DNSKEY 257 3 13 wwwwwwwwwwwwwwwww== ; ( ECDSAP256SHA256 )
>DS = myzone.com. IN DS 58353 13 1 xxxxxxxxxxxxx ; ( SHA1 digest )
>DS = myzone.com. IN DS 58353 13 2 yyyyyyyyyyyyyyyyyyy ; ( SHA256 digest )
>DS = myzone.com. IN DS 58353 13 4 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz ; ( SHA-384 digest )
Should i copy/paste the key DNSKEY (ECDSAP256SHA256) or one of the three DS (SHA1 digest, SHA256 digest, SHA-384 digest) ?
Thanks for the help.

This email has been checked for viruses by Avast antivirus software.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190313/065a191a/attachment.html>

More information about the Pdns-users mailing list