Bind 9.9.x operation with dnssec
Jeremy C. Reed
jreed at isc.org
Sat Jun 2 00:41:25 UTC 2012
On Fri, 1 Jun 2012, Alan Batie wrote:
> When it comes to the DS records registered at the registrar, I'm not
> sure where that comes from: the only way I can see to get it is to do a
> DS query from the nameserver (and at least one document basically said
> that). First, I'd like to know where it comes from, and second, it
> seems much too small, given ksks are supposed to be bigger as a result
> of being longer lived:
>
> raindrop.us. 1903 IN DS 41190 5 2
> C2927E697D868DB1AEF54642E9B59079CF5412AAA36846290AB20215 9CBAFBEA
>
> vs
>
> raindrop.us. 3600 IN DNSKEY 256 3 5
> AwEAAb3vNnkqkoG7brIDkPDSbnFDeFV2FmD+RktZFL3DDIIkM9Xkpker
> sFTscUWFeta/DEBg8Jvgznyw6iiBCPob5Q9Vluv4mT+HNAm5F2W5wLww
> FkJ8ia1xuZoAAl3jCHW3Cj5Dkkr0yVSSZrbORJ1/PnnKhb09o2LPjMr6 /hUjzlzV
You can use the dnssec-dsfromkey tool to generate the DS records (using
the 257/KSK). The DS is smaller because it is a digest (hash) of the
public key.
More information about the bind-users
mailing list