convert Knot DNS sigantures certs to BIND  format.
    Milan Jeskynka Kazatel 
    KazatelM at seznam.cz
       
    Fri Mar 15 08:04:07 UTC 2019
    
    
  
Hello Tony,
Awesome. 
Many thanks for your explanation and clarification. 
Now is everything as I expected.
Best regards,
-- 
Smil Milan Jeskyňka Kazatel
---------- Původní e-mail ----------
Od: Tony Finch <dot at dotat.at>
Komu: Milan Jeskynka Kazatel <KazatelM at seznam.cz>
Datum: 14. 3. 2019 17:23:38
Předmět: Re: convert Knot DNS sigantures certs to BIND format.
"Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote: 
> 
> Now I´m able to sign my zone. But in dsset file, which should contain the 
> same DS as I already have in the parent zone a have different "keytag" and
 
> different hash.  
> 
> In my case is "keytag" in dsset file is 43120. 
OK, referring to your previous message... 
> > My original "keytag" is 43121. 
The keytag calculation is a very simple checksum so the fact that the 
correct and incorrect tags differ by 1 is a big clue :-) The KSK flag's 
value is 1 (ZSK flags == 256, KSK flags == 257) so it looks like you 
missed out the `-f KSK` option to dnssec-keygen when making the template 
key files. 
You can fix this by changing 256 to 257 in the .key file(s) that should be 
KSKs and re-signing the zone. Double check that the key file names match 
the key tags, e.g. this is wrong: 
$ dnssec-dsfromkey Kexample.com.+013+19633.key 
example.com. IN DS 19634 13 1 32CF6889AEBABD43F2A87A59D4EC13A18A91AA0A 
(Unexpectedly, BIND does not always get upset when the keytag in a key 
file name doesn't match the computed keytag, so it's possible to get 
things slightly wrong and not notice unless you double check.) 
Tony. 
-- 
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ 
Southeast Iceland: Cyclonic, mainly northeasterly, 5 to 7, decreasing 4 at 
times. Rough or very rough. Wintry showers. Good, occasionally poor."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190315/1f8152d8/attachment-0001.html>
    
    
More information about the bind-users
mailing list