[Pdns-users] Issue with DNSSEC on subdomains (only)
Support SimpleRezo
simplerezo at gmail.com
Sun Jul 14 14:02:31 UTC 2024
Hi
I have trouble rolling over DNSSEC keys on subdomains (no issue for
domains but for all subdomains): DS digest returned by PowerDNS
queries are incorrects. Calculation from my side but also from
pdnsutil differs from DNS responses.
$ drill ds @ns1.simplerezo.com help.simplerezo.com
help.simplerezo.com. 7200 IN DS 52911 10 2
058728e3151830ce369137e0f50d6d5181b4885a853abb52076f441bcc586f8b
help.simplerezo.com. 7200 IN DS 46522 13 2
6504f604d391e1b40e860f3b2d2bff08f672239f4516471659383ca9d287f8fb
$ pdnsutil show-zone help.simplerezo.com | grep 'SHA256 digest'
DS = help.simplerezo.com. IN DS 52911 10 2
058728e3151830ce369137e0f50d6d5181b4885a853abb52076f441bcc586f8b ; (
SHA256 digest )
DS = help.simplerezo.com. IN DS 46522 13 2
1fad5fa3556072748a53d6b38924d718fa83121d23f8d5b759392aa8a880bf78 ; (
SHA256 digest )
As you can see, for algorithm RSASHA512 digests matches, but for
ECDSAP256SHA256 it does not.
Public keys checks:
$ drill -b 1024 dnskey @ns1.simplerezo.com help.simplerezo.com | grep '257 3 13'
help.simplerezo.com. 1800 IN DNSKEY 257 3 13
aqwixB/PBocgbN/MG/87Qd4jJ3lTd2jz43znAyO1c64h+YxtU+zYB2SeCG/HDLgy8h4FtagjGUg6rrAbPxXYuQ==
;{id = 46522 (ksk), size = 256b}
$ pdnsutil show-zone help.simplerezo.com | grep '257 3 13'
KSK DNSKEY = help.simplerezo.com. IN DNSKEY 257 3 13
aqwixB/PBocgbN/MG/87Qd4jJ3lTd2jz43znAyO1c64h+YxtU+zYB2SeCG/HDLgy8h4FtagjGUg6rrAbPxXYuQ==
; ( ECDSAP256SHA256 )
PowerDNS version is 4.9.1, running on FreeBSD with a mySQL backend and
openssl 3.0.14.
Thanks for your help!
Regards
--
Clement
SimpleRezo
More information about the Pdns-users
mailing list