<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>
<blockquote type="cite">What is annoying is it accepts the hash as
perfectly valid and gets the DS record number as the wrong ID.</blockquote>
A key is just a bundle of bits, no way to validate it. Well,
perhaps the length should be consistent with the key type...<br>
</p>
<p>In fact, with the same input, dnssec-dsfromkey produces the same
keytag as AWS. Below I pretend that the hash from your DS is in a
DNSKEY record.<br>
</p>
<p><code>cat >tmp.key</code><code><br>
</code><code>ericgermann.photography. DNSKEY 257 3 8
A17DF360A9E0CB485BD396A839119441C5FF62A9C9E46D586EBDD1D084E2E36B</code><code><br>
</code></p>
<p><code>dnssec-dsfromkey -2 tmp</code><code><br>
</code><code>ericgermann.photography. IN DS <b><font size="5"
color="#ff0000">22755</font></b> 8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D922D1E7FA9</code></p>
<p>So, as I concluded, AWS was generating a DS for a different
"key". Its keytag was correct for the data it got.<br>
</p>
<p>Glad you got to a solution.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix">On 29-Dec-22 10:39, Eric Germann wrote:<br>
</div>
<blockquote type="cite"
cite="mid:sig.43623cde19.EF0E4B4E-AF98-4030-B86E-81B2CE6930C7@semperen.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>I understand all the tools and output. The error I was
trying to find is why they disagreed and checking all the points
along the way. Thanks for your scripts. </div>
<div><br>
</div>
<div>Anyways, for GoogleFu, I got it fixed and it works correctly
now thanks to <a
href="https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2</a></div>
<div><br>
</div>
<div>For entering the DS record in to Route53, you enter the whole
public key in Base64 without spaces or newlines, not the hash of
the key like the registrars I’ve used for other domains.</div>
<div><br>
</div>
<div>What is annoying is it accepts the hash as perfectly valid
and gets the DS record number as the wrong ID.</div>
<div><br>
</div>
<div>Thanks to all who helped!</div>
<div><br>
</div>
<div>Eric</div>
<br class="Apple-interchange-newline" style="caret-color: rgb(0,
0, 0); color: rgb(0, 0, 0);">
<div><br>
<blockquote type="cite">
<div>On Dec 29, 2022, at 10:06, Timothe Litt
<a class="moz-txt-link-rfc2396E" href="mailto:litt@acm.org"><litt@acm.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div class="content-isolator__container">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div>
<div> <br class="webkit-block-placeholder">
</div>
<blockquote type="cite">That’s why I wanted to decode
the DS record to see if it’s encoding it as 32686 or
22755</blockquote>
<br>
As I said, no decoding required. Just look at the DS
record. The keytag is immediately after "DS" in plain,
unencoded text.
<div><br class="webkit-block-placeholder">
</div>
<p>If the question is how to verify the keytag from the
DNSKEY it references, I've shown you two different
tools that produce the same result.<br>
</p>
<p>If you use the same input file, you get the same
answer from ISC and Net::DNS::SEC.</p>
<p><code>cat >tmp.key</code></p>
<p><code>ericgermann.photography. DNSKEY 257 3 8
AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM=</code><code><br>
</code></p>
<p><code>dnssec-dsfromkey -2 tmp</code><code><br>
</code><code>ericgermann.photography. IN DS </code><code><font
size="5"><b><font color="#ff0000">32686 </font></b></font>8</code><code>
2
A17DF360A9E0CB485BD396A839119441C5FF62A9C9E46D586EBDD1D084E2E36B</code></p>
<p>That's the same answer as Net::DNS::SEC. Two
different tools from reputable sources, same answer.</p>
<p>None of the installed keys have 22755. DNSvis does
show a DS record installed with 22755 (and no matching
key). So AWS is installing that DS from whatever
input you provide it.<br>
</p>
<p>That leaves:</p>
<ul>
<li>Different input to AWS vs. the local tools<br>
</li>
<ul>
<li>perhaps you have a file with a different DNSKEY
that you are uploading to AWS. I've been known to
accidentally overwrite, rename, or confuse files.
(Not often, but it happens.)</li>
<li>have you verified that the contents of the file
that you are using matches what's in the DNS?</li>
<li>Does AWS have an option to use a DNSKEY from
your zone? That would avoid the manual step.<br>
</li>
</ul>
<li>If you're copy/pasting the DNSKEY file into AWS,
corruption in the process (buffer overruns?)</li>
<li>It's not inconceivable that AWS has a bug, but
someone should have hit one like this before you<br>
</li>
</ul>
<p>Before blaming AWS, I'd be very sure that the same
key is being input. If it is, they have a bug....</p>
<p>You might also consider using a different key
experimentally, on the off chance that a wrong keytag
bug is data-dependent.</p>
<p>But the most likely scenario is that somehow AWS is
generating a DS for a different key.</p>
<p>I don't use AWS, so that's as far as I can go.</p>
<p>Good luck.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix">On 29-Dec-22 09:28, Eric
Germann wrote:<br>
</div>
<blockquote type="cite"
cite="mid:sig.43629c226c.8C2A6ADF-65BB-4C7C-AB6E-322174F39894@semperen.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div>
<div dir="auto" style="caret-color: rgb(0, 0, 0);
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration:
none; overflow-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="caret-color: rgb(0, 0, 0);
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration:
none; overflow-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="caret-color: rgb(0, 0,
0); letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;
text-decoration: none; overflow-wrap:
break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align: start;
text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px; word-wrap:
break-word; -webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto" style="text-align:
start; text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break: after-white-space;">
<div dir="auto"
style="text-align: start;
text-indent: 0px; word-wrap:
break-word; -webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto"
style="text-align: start;
text-indent: 0px; word-wrap:
break-word;
-webkit-nbsp-mode: space;
line-break:
after-white-space;">
<div dir="auto"
style="text-align: start;
text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break:
after-white-space;">
<div dir="auto"
style="text-align:
start; text-indent: 0px;
word-wrap: break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto"
style="text-align:
start; text-indent:
0px; word-wrap:
break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto"
style="text-align:
start; text-indent:
0px; word-wrap:
break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto"
style="text-align:
start;
text-indent: 0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space; line-break:
after-white-space;">
<div dir="auto"
style="text-align:
start;
text-indent:
0px; word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div dir="auto"
style="text-align: start; text-indent: 0px; word-wrap: break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
dir="auto"
style="text-align:
start;
text-indent:
0px;
word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;">
<div
style="caret-color:
rgb(0, 0, 0);
font-variant-caps: normal; letter-spacing: normal; text-transform: none;
white-space:
normal;
word-spacing:
0px;
text-decoration:
none;
-webkit-text-stroke-width:
0px;
font-family:
Helvetica;
font-style:
normal;
font-weight:
normal;
font-size:
15px;
text-align:
start;
text-indent:
0px;">
<div>Yeah,
that’s the
problem I’m
trying to
solve. I run
the key thru
dnssec-dsfromkey
and get 32686,
When I put the
key in to
Route53, I get
22755 from the
decoded DS
record in the
console for
Route53.</div>
<div><br>
</div>
<div>That’s
why I wanted
to decode the
DS record to
see if it’s
encoding it as
32686 or 22755</div>
<br
class="Apple-interchange-newline">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br>
<blockquote type="cite">
<div>On Dec 29, 2022, at 09:17, Timothe Litt <a
class="moz-txt-link-rfc2396E"
href="mailto:litt@acm.org"
moz-do-not-send="true"><litt@acm.org></a>
wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div class="content-isolator__container">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<div> On 28-Dec-22 19:40, Eric Germann wrote:<br>
<blockquote type="cite"
cite="mid:sig.03621a870f.3B5CB206-93EB-43AC-8AF8-35AFDEE710E1@semperen.com">
<div>My question is</div>
<div><br>
</div>
<div>Is there any way to decode the DS
record and see what key tag is actually
encoded in it? If it’s 32686 it’s an
issue with Route53. If it’s 22755 it’s
an issue with dnssec-dsfromkey.</div>
<div><br>
</div>
<div>If anyone wants the DNSKEY for
algorithm 8, ping me off list and I will
share it with you in a private email.</div>
<div><br>
</div>
<div>Thoughts?</div>
<div><br>
</div>
</blockquote>
<p>And because it's trivial, here are the
keytags for all your keys and DS records
and how to get them. Note that you have
DNSKEY 32686: installed in the DNS, and
that the installed DS is 22755.</p>
<p>Can't say how it got that way, but that's
what is there. (Manual processes are
error-prone. That getting registrars to
adopt CDS/CDNSKEY - RFC7344 - has been so
slow is unfortunate.) It's rarely the
tools.<br>
</p>
<p><code> perl -MNet::DNS::SEC -e'@keys =
split /\n/, qx(dig +cdflag +short
ericgermann.photography DNSKEY); print
"$_ =>
",Net::DNS::RR->new("ericgermann.photography.
DNSKEY $_")->keytag,"\n" foreach
(@keys);'</code><code><br>
</code><code>257 3 8
AwEAAatPHgdYxFA74X+17xAMmZNn+I6XVzodbnA/m4M6vV+axYh+PTNt
xrZSQ4PXEcJkNXF5OR1UPfPWea/gGIuYUbjMaa2H7fd+TXqc+C44U/2O
vbZqefSUXl1QzqyxPyG7xZuAgTApFt+PuK9CrQtP7IV9qu34cXAXLGF1
SgrhBi843sTESw8nBAv1MDLMBCDEULVOSghqqxdJQ57yGOdsgYFdt6kL
UNA1zntZV49dDWHGttZWwhEnnMuNz+e6bRroETOIhtzxLn4HOievnZmV
4rqzh5Zku/06QMNiUWwePW07RIGVVzUszU0LaAgBh/m111x5UiYfup2N egWHPunS1IM=
=> <font size="4" color="#ff0000"><b>32686</b></font></code><code><br>
</code><code>256 3 8
AwEAAaD+/5eN/zIqYhG/CXXastruIQEBBuD2Y2Yinx+IqWvInKc5Kb6K
AWvUWECjn0Q7Lrt1s759/04SZXm2M4GwuKBzY+Ern2ukWi0hQmUBqoET
VSrFhu75FJpi0+8wJZhx5UVPg7NTriYXC29rSTBt/OCr/Ot+utf2P9G2
hr/BXQqcwausick9Gu9zZtzB0072IEM6okZW1rDwlAwmlDjicJgbAnRt
qgpWX21CgRG/G8Jjz4pGSP1rt54ilxVbCL8KR3huRaJGb6lnnJnQJckL
oN2+rGaps1bLYC79fgdL5Y/fzR43J+te7RBo4AJXFhW9n1WL6KOKbprE pbl7yiINzTU=
=> 43126</code><code><br>
</code><code>256 3 13
bX62WTOQmhTaqnQprecHwUjDzBGAQbF0kqywkNzE1yBTrmP/zBNhvtp+
H9iYf1OOcfyDo6iE1XXUCNKHKZFHkg== =>
36584</code><code><br>
</code><code>256 3 15
9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ=
=> 48248</code><code><br>
</code><code>257 3 15
A8W3oD5oGEkHjOTfCmPbEBzHHTILksfywXvjQ5r9/dA=
=> 13075</code><code><br>
</code><code>257 3 13
DBT06AacWTT1cD//OgwSSNRT9UTZdAgbJOnU/sWcFYhJ+x9SHvpfZGF6
tkGehWujsuYtwLf0aKt2b1mjQUk/BA== =>
49677</code></p>
<p><code>perl -MNet::DNS::SEC -e'@keys =
split /\n/, qx(dig +cdflag +short
ericgermann.photography DS); print "$_
=>
",Net::DNS::RR->new("ericgermann.photography.
DS $_")->keytag,"\n" foreach
(@keys);'</code><code><br>
</code><code>22755 8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9 => <font size="5"
color="#ff0000"><b>22755</b></font></code><code><br>
</code></p>
<p>You can, of course, use data from your
files instead of dig. Works for both DS
and DNSKEY</p>
<p> perl -MNet::DNS -MNet::DNS::SEC -e'
print
Net::DNS::RR->new("ericgermann.photography.
DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9")->keytag,"\n"'<br>
</p>
<p><br>
</p>
<p>Enjoy.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<div class="moz-cite-prefix"><br>
</div>
<div><br class="webkit-block-placeholder">
</div>
<p><br>
</p>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
<div id="grammalecte_menu_main_button_shadow_host" style="width:
0px; height: 0px;"></div>
</body>
</html>