[Pdns-users] Issue with DNSSEC on subdomains (only)

Support SimpleRezo via Pdns-users Sun, 14 Jul 2024 07:02:58 -0700

Hi

I have trouble rolling over DNSSEC keys on subdomains (no issue for
domains but for all subdomains): DS digest returned by PowerDNS
queries are incorrects. Calculation from my side but also from
pdnsutil differs from DNS responses.


$ drill ds @ns1.simplerezo.com help.simplerezo.com
help.simplerezo.com.    7200    IN      DS      52911 10 2
058728e3151830ce369137e0f50d6d5181b4885a853abb52076f441bcc586f8b
help.simplerezo.com.    7200    IN      DS      46522 13 2
6504f604d391e1b40e860f3b2d2bff08f672239f4516471659383ca9d287f8fb

$ pdnsutil show-zone help.simplerezo.com | grep 'SHA256 digest'
DS = help.simplerezo.com. IN DS 52911 10 2
058728e3151830ce369137e0f50d6d5181b4885a853abb52076f441bcc586f8b ; (
SHA256 digest )
DS = help.simplerezo.com. IN DS 46522 13 2
1fad5fa3556072748a53d6b38924d718fa83121d23f8d5b759392aa8a880bf78 ; (
SHA256 digest )

As you can see, for algorithm RSASHA512 digests matches, but for
ECDSAP256SHA256 it does not.

Public keys checks:

$ drill -b 1024 dnskey @ns1.simplerezo.com help.simplerezo.com | grep '257 3 13'
help.simplerezo.com.    1800    IN      DNSKEY  257 3 13
aqwixB/PBocgbN/MG/87Qd4jJ3lTd2jz43znAyO1c64h+YxtU+zYB2SeCG/HDLgy8h4FtagjGUg6rrAbPxXYuQ==
;{id = 46522 (ksk), size = 256b}

$ pdnsutil show-zone help.simplerezo.com | grep '257 3 13'
KSK DNSKEY = help.simplerezo.com. IN DNSKEY 257 3 13
aqwixB/PBocgbN/MG/87Qd4jJ3lTd2jz43znAyO1c64h+YxtU+zYB2SeCG/HDLgy8h4FtagjGUg6rrAbPxXYuQ==
; ( ECDSAP256SHA256 )

PowerDNS version is 4.9.1, running on FreeBSD with a mySQL backend and
openssl 3.0.14.

Thanks for your help!

Regards

--
Clement
SimpleRezo
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Issue with DNSSEC on subdomains (only)

Reply via email to