<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-variant-caps: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-style: normal; font-weight: normal; font-size: 15px; text-align: start; text-indent: 0px;"><div>Yeah, that’s the problem I’m trying to solve. I run the key thru dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 22755 from the decoded DS record in the console for Route53.</div><div><br></div><div>That’s why I wanted to decode the DS record to see if it’s encoding it as 32686 or 22755</div><br class="Apple-interchange-newline"></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<div><br><blockquote type="cite"><div>On Dec 29, 2022, at 09:17, Timothe Litt <litt@acm.org> wrote:</div><br class="Apple-interchange-newline"><div><div class="content-isolator__container">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>
On 28-Dec-22 19:40, Eric Germann wrote:<br>
<blockquote type="cite" cite="mid:sig.03621a870f.3B5CB206-93EB-43AC-8AF8-35AFDEE710E1@semperen.com">
<div>My question is</div>
<div><br>
</div>
<div>Is there any way to decode the DS record and see what key tag
is actually encoded in it? If it’s 32686 it’s an issue with
Route53. If it’s 22755 it’s an issue with dnssec-dsfromkey.</div>
<div><br>
</div>
<div>If anyone wants the DNSKEY for algorithm 8, ping me off list
and I will share it with you in a private email.</div>
<div><br>
</div>
<div>Thoughts?</div>
<div><br>
</div>
</blockquote><p>And because it's trivial, here are the keytags for all your keys
and DS records and how to get them. Note that you have DNSKEY
32686: installed in the DNS, and that the installed DS is 22755.</p><p>Can't say how it got that way, but that's what is there. (Manual
processes are error-prone. That getting registrars to adopt
CDS/CDNSKEY - RFC7344 - has been so slow is unfortunate.) It's
rarely the tools.<br>
</p><p><code> perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig
+cdflag +short ericgermann.photography DNSKEY); print "$_ =>
",Net::DNS::RR->new("ericgermann.photography. DNSKEY
$_")->keytag,"\n" foreach (@keys);'</code><code><br>
</code><code>257 3 8
AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N
egWHPunS1IM= => <font size="4" color="#ff0000"><b>32686</b></font></code><code><br>
</code><code>256 3 8
AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K
AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET
VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2
hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt
qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL
oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE
pbl7yiINzTU= => 43126</code><code><br>
</code><code>256 3 13
bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+
H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584</code><code><br>
</code><code>256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ=
=> 48248</code><code><br>
</code><code>257 3 15 A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA=
=> 13075</code><code><br>
</code><code>257 3 13
DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6
tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677</code></p><p><code>perl -MNet::DNS::SEC -e'@keys = split /\n/, qx(dig +cdflag
+short ericgermann.photography DS); print "$_ =>
",Net::DNS::RR->new("ericgermann.photography. DS
$_")->keytag,"\n" foreach (@keys);'</code><code><br>
</code><code>22755 8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9 => <font size="5" color="#ff0000"><b>22755</b></font></code><code><br>
</code></p><p>You can, of course, use data from your files instead of dig.
Works for both DS and DNSKEY</p><p> perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9")->keytag,"\n"'<br>
</p><p><br>
</p><p>Enjoy.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix"><br>
</div><div><br class="webkit-block-placeholder"></div><p><br>
</p>
<div id="grammalecte_menu_main_button_shadow_host" style="width:
0px; height: 0px;"></div>
</div>
</div></div></blockquote></div><br></body></html>