Inline signing fails dnsviz test.
Tony Finch
dot at dotat.at
Mon May 10 18:17:48 UTC 2021
Dan Egli <dan at newideatest.site> wrote:
>
> Where do I get the DS record, since i'm using bind's inline signing?
Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the
KSK file)
$ grep This Kcam.ac.uk.+013+32840.key
; This is a key-signing key, keyid 32840, for cam.ac.uk.
$ dnssec-dsfromkey -2 Kcam.ac.uk.+013+32840.key
cam.ac.uk. IN DS 32840 13 2 2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85
or from your DNSKEY RRset (safest to run this on your primary to be sure
the keys aren't mangled)
$ dig cam.ac.uk dnskey | dnssec-dsfromkey -2 -f - cam.ac.uk
cam.ac.uk. IN DS 32840 13 2 2BDAF21907420CE792AF02B55071953BC2BDB64B5126710E12AF89F711322B85
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Berwick upon Tweed to Whitby: South backing southeast, 3 to 5,
occasionally 6 at first. Slight or moderate becoming slight. Showers,
perhaps thundery later. Good occasionally moderate later.
More information about the bind-users
mailing list