<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>I understand all the tools and output. The error I was trying to find is why they disagreed and checking all the points along the way. Thanks for your scripts. </div><div><br></div><div>Anyways, for GoogleFu, I got it fixed and it works correctly now thanks to <a href="https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2">https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2</a></div><div><br></div><div>For entering the DS record in to Route53, you enter the whole public key in Base64 without spaces or newlines, not the hash of the key like the registrars I’ve used for other domains.</div><div><br></div><div>What is annoying is it accepts the hash as perfectly valid and gets the DS record number as the wrong ID.</div><div><br></div><div>Thanks to all who helped!</div><div><br></div><div>Eric</div><br class="Apple-interchange-newline" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<div><br><blockquote type="cite"><div>On Dec 29, 2022, at 10:06, Timothe Litt <litt@acm.org> wrote:</div><br class="Apple-interchange-newline"><div><div class="content-isolator__container">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div><div>
<br class="webkit-block-placeholder"></div><blockquote type="cite">That’s why I wanted to decode the DS
record to see if it’s encoding it as 32686 or 22755</blockquote>
<br>
As I said, no decoding required. Just look at the DS record. The
keytag is immediately after "DS" in plain, unencoded text.<div><br class="webkit-block-placeholder"></div><p>If the question is how to verify the keytag from the DNSKEY it
references, I've shown you two different tools that produce the
same result.<br>
</p><p>If you use the same input file, you get the same answer from ISC
and Net::DNS::SEC.</p><p><code>cat >tmp.key</code></p><p><code>ericgermann.photography. DNSKEY 257 3 8
AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N
egWHPunS1IM=</code><code><br>
</code></p><p><code>dnssec-dsfromkey -2 tmp</code><code><br>
</code><code>ericgermann.photography. IN DS </code><code><font size="5"><b><font color="#ff0000">32686 </font></b></font>8</code><code>
2
A17DF360A9E0CB485BD396A839119441C5FF62A9C9E46D586EBDD1D084E2E36B</code></p><p>That's the same answer as Net::DNS::SEC. Two different tools
from reputable sources, same answer.</p><p>None of the installed keys have 22755. DNSvis does show a DS
record installed with 22755 (and no matching key). So AWS is
installing that DS from whatever input you provide it.<br>
</p><p>That leaves:</p>
<ul>
<li>Different input to AWS vs. the local tools<br>
</li>
<ul>
<li>perhaps you have a file with a different DNSKEY that you are
uploading to AWS. I've been known to accidentally overwrite,
rename, or confuse files. (Not often, but it happens.)</li>
<li>have you verified that the contents of the file that you are
using matches what's in the DNS?</li>
<li>Does AWS have an option to use a DNSKEY from your zone?
That would avoid the manual step.<br>
</li>
</ul>
<li>If you're copy/pasting the DNSKEY file into AWS, corruption in
the process (buffer overruns?)</li>
<li>It's not inconceivable that AWS has a bug, but someone should
have hit one like this before you<br>
</li>
</ul><p>Before blaming AWS, I'd be very sure that the same key is being
input. If it is, they have a bug....</p><p>You might also consider using a different key experimentally, on
the off chance that a wrong keytag bug is data-dependent.</p><p>But the most likely scenario is that somehow AWS is generating a
DS for a different key.</p><p>I don't use AWS, so that's as far as I can go.</p><p>Good luck.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix">On 29-Dec-22 09:28, Eric Germann wrote:<br>
</div>
<blockquote type="cite" cite="mid:sig.43629c226c.8C2A6ADF-65BB-4C7C-AB6E-322174F39894@semperen.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>
<div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
<div dir="auto" style="text-align: start; text-indent:
0px; word-wrap: break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align: start; text-indent:
0px; word-wrap: break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align: start; text-indent:
0px; word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px; word-wrap:
break-word; -webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap:
break-word; -webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap:
break-word;
-webkit-nbsp-mode: space;
line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent:
0px; word-wrap:
break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent:
0px; word-wrap:
break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start;
text-indent: 0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start;
text-indent:
0px; word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div dir="auto" style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div style="caret-color: rgb(0, 0, 0); font-variant-caps: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-style: normal; font-weight: normal; font-size: 15px; text-align: start; text-indent: 0px;">
<div>Yeah,
that’s the
problem I’m
trying to
solve. I run
the key thru
dnssec-dsfromkey
and get 32686,
When I put the
key in to
Route53, I get
22755 from the
decoded DS
record in the
console for
Route53.</div>
<div><br>
</div>
<div>That’s
why I wanted
to decode the
DS record to
see if it’s
encoding it as
32686 or 22755</div>
<br class="Apple-interchange-newline">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br>
<blockquote type="cite">
<div>On Dec 29, 2022, at 09:17, Timothe Litt
<a class="moz-txt-link-rfc2396E" href="mailto:litt@acm.org"><litt@acm.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div class="content-isolator__container">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div> On 28-Dec-22 19:40, Eric Germann wrote:<br>
<blockquote type="cite" cite="mid:sig.03621a870f.3B5CB206-93EB-43AC-8AF8-35AFDEE710E1@semperen.com">
<div>My question is</div>
<div><br>
</div>
<div>Is there any way to decode the DS record and see
what key tag is actually encoded in it? If it’s
32686 it’s an issue with Route53. If it’s 22755
it’s an issue with dnssec-dsfromkey.</div>
<div><br>
</div>
<div>If anyone wants the DNSKEY for algorithm 8, ping
me off list and I will share it with you in a
private email.</div>
<div><br>
</div>
<div>Thoughts?</div>
<div><br>
</div>
</blockquote><p>And because it's trivial, here are the keytags for
all your keys and DS records and how to get them.
Note that you have DNSKEY 32686: installed in the DNS,
and that the installed DS is 22755.</p><p>Can't say how it got that way, but that's what is
there. (Manual processes are error-prone. That
getting registrars to adopt CDS/CDNSKEY - RFC7344 -
has been so slow is unfortunate.) It's rarely the
tools.<br>
</p><p><code> perl -MNet::DNS::SEC -e'@keys = split /\n/,
qx(dig +cdflag +short ericgermann.photography
DNSKEY); print "$_ =>
",Net::DNS::RR->new("ericgermann.photography.
DNSKEY $_")->keytag,"\n" foreach (@keys);'</code><code><br>
</code><code>257 3 8
AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM=
=> <font size="4" color="#ff0000"><b>32686</b></font></code><code><br>
</code><code>256 3 8
AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K
AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET
VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2
hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt
qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL
oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU=
=> 43126</code><code><br>
</code><code>256 3 13
bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+
H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== => 36584</code><code><br>
</code><code>256 3 15
9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ= =>
48248</code><code><br>
</code><code>257 3 15
A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA= =>
13075</code><code><br>
</code><code>257 3 13
DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6
tkGehWujsuYtwLf0aKt2b1mjQUk/BA== => 49677</code></p><p><code>perl -MNet::DNS::SEC -e'@keys = split /\n/,
qx(dig +cdflag +short ericgermann.photography DS);
print "$_ =>
",Net::DNS::RR->new("ericgermann.photography. DS
$_")->keytag,"\n" foreach (@keys);'</code><code><br>
</code><code>22755 8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9 => <font size="5" color="#ff0000"><b>22755</b></font></code><code><br>
</code></p><p>You can, of course, use data from your files instead
of dig. Works for both DS and DNSKEY</p><p> perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DS
22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9")->keytag,"\n"'<br>
</p><p><br>
</p><p>Enjoy.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix"><br>
</div>
<div><br class="webkit-block-placeholder">
</div><p><br>
</p>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
<div id="grammalecte_menu_main_button_shadow_host" style="width:
0px; height: 0px;"></div>
</div>
</div></div></blockquote></div><br></body></html>