[Pdns-users] DNSSEC, wich key for the registrar

Kevin Olbrich ko at sv01.de
Tue Mar 12 20:12:51 UTC 2019 

All three is correct. Only the best would be required but keeping them all
upstream helps with old clients or resolvers, who understand DNSSEC but not
latest crypto.

Kevin


Am Di., 12. März 2019 um 20:14 Uhr schrieb Asanka Gunasekara <
asankag at talkup.com.au>:

> Hi David,
>
> I added all 3 DS keys to registrar when i setup my DNSSEC settings.
>
> According to your info:
> Key Tag : 58353
> Algorythm: [13] ECDSA Curve P-256 with SHA-256
> Digest Type: (1/2/4)
> Digest : x/y/z
>
> Hope this helps.
>
> Kind Regards,
> Asanka Gunasekara
>
> *P**:* 1300 825 587
> *E**: *support at talkup.com.au | *W:* www.talkup.com.au
> *Postal Address: *PO Box 24, Varsity Lakes QLD 4227
>
> Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.
>
> On 12/03/2019 11:13:25 PM, David REYNAUD <david at w3line.fr> wrote:
>
> Hi,
>
>
>
> After enabling DNSEC for a zone, wich key should i setup/configure on the
> registrar database ?
>
>
>
> When i do a « pdnsutil show-zone myzone.com » we have many keys. See
> sample below :
>
>
>
> pdnsutil show-zone myzone.com
>
> >This is a Native zone
>
> >Metadata items:
>
> >        API-RECTIFY     1
>
> >        SOA-EDIT-API    DEFAULT
>
> >Zone has NSEC semantics
>
> >keys:
>
> >ID = 1 (CSK), flags = 257, tag = 58353, algo = 13, bits = 256     Active
> ( ECDSAP256SHA256 )
>
> >CSK DNSKEY = myzone.com. IN DNSKEY 257 3 13 wwwwwwwwwwwwwwwww== ; (
> ECDSAP256SHA256 )
>
> >DS = myzone.com. IN DS 58353 13 1 xxxxxxxxxxxxx ; ( SHA1 digest )
>
> >DS = myzone.com. IN DS 58353 13 2 yyyyyyyyyyyyyyyyyyy ; ( SHA256 digest )
>
> >DS = myzone.com. IN DS 58353 13 4 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz ; (
> SHA-384 digest )
>
>
>
> Should i copy/paste the key DNSKEY (ECDSAP256SHA256) or one of the three
> DS (SHA1 digest, SHA256 digest, SHA-384 digest) ?
>
>
>
> Thanks for the help.
>
>
>
>
>
> David REYNAUD
>
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_887826018406715995_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190312/015b13cf/attachment-0001.html>

More information about the Pdns-users mailing list