<html><body>Hello Tony, <div><br></div><div><div>could you please help me one more time?</div><div><br></div><div>your suggested workflow working for me in most of the cases. Unfortunately, it happens that the resigning mechanism creates whitespace in the DNSKEY and in the log I can see a message:</div><div>dns_dnssec_findzonekeys2: error reading private key file example.com/ECDSAP256SHA256/6786: file not found</div><div><br></div><div>I double checked the .private and .key also for any TYPO.</div><div><br></div><div>even if the signing process pass.</div><div>#dnssec-signzone -S -P -z example.com</div><div>Fetching KSK/ZSK 6786/ECDSAP256SHA256 from key repository.</div><div>example.com.signed</div><div><br></div><div>Whitespace is visible in dig.</div><div>from dig:</div><div>example.com. 300 IN DNSKEY 257 3 13 nZwiBQ/QLbqqrdgh+Ailr2m1Mu2Mjot6IZ4fzkvAwR8wws5qoJyIqUM<font color="#e02813"><b><u>X p</u></b></font>pcKGFPUg63z70WLgw9oyJOyBHZlIQ==</div><div><br></div><div>And in dnssec-dsfromkey command to.</div><div><br></div><div>Could be a glitch in the openssl command, that translate some character wrongly as a white space after signing process?</div><div><br></div><div>Many thanks for any advice,</div><div>best regards, </div></div>-- <br>Smil Jeskyňka Kazatel<br><br><aside> ---------- Původní e-mail ----------<br>Od: Tony Finch <dot@dotat.at><br>Komu: Milan Jeskynka Kazatel <KazatelM@seznam.cz><br>Datum: 14. 3. 2019 17:23:38<br>Předmět: Re: convert Knot DNS sigantures certs to BIND format.</aside><br><blockquote data-email="dot@dotat.at">Milan Jeskynka Kazatel <KazatelM@seznam.cz> wrote:
<br>>
<br>> Now I´m able to sign my zone. But in dsset file, which should contain the
<br>> same DS as I already have in the parent zone a have different "keytag" and
<br>> different hash.
<br>>
<br>> In my case is "keytag" in dsset file is 43120.
<br>
<br>OK, referring to your previous message...
<br>
<br>> > My original "keytag" is 43121.
<br>
<br>The keytag calculation is a very simple checksum so the fact that the
<br>correct and incorrect tags differ by 1 is a big clue :-) The KSK flag's
<br>value is 1 (ZSK flags == 256, KSK flags == 257) so it looks like you
<br>missed out the `-f KSK` option to dnssec-keygen when making the template
<br>key files.
<br>
<br>You can fix this by changing 256 to 257 in the .key file(s) that should be
<br>KSKs and re-signing the zone. Double check that the key file names match
<br>the key tags, e.g. this is wrong:
<br>
<br>$ dnssec-dsfromkey Kexample.com.+013+19633.key
<br>example.com. IN DS 19634 13 1 32CF6889AEBABD43F2A87A59D4EC13A18A91AA0A
<br>
<br>(Unexpectedly, BIND does not always get upset when the keytag in a key
<br>file name doesn't match the computed keytag, so it's possible to get
<br>things slightly wrong and not notice unless you double check.)
<br>
<br>Tony.
<br>--
<br>f.anthony.n.finch <dot@dotat.at> http://dotat.at/
<br>Southeast Iceland: Cyclonic, mainly northeasterly, 5 to 7, decreasing 4 at
<br>times. Rough or very rough. Wintry showers. Good, occasionally poor.</blockquote></body></html>