[ldns-users] drill -k <DS> ?
Gilles Massen
gilles.massen at restena.lu
Mon Mar 7 09:26:26 UTC 2011
Hello,
I'm scripting a sanity check for signed zones, and would like to check
is the DNSKEY RR validates based on the DS I received (as a
pre-delegation check).
drill -k <keyfile> seem to be an excellent candidate to do that, but I
cannot get it to work if keyfile contains the DS record (as the manpage
suggests that it can). The only answer I get are these:
./drill -k temp.ds -D dnssec.lu @ns1.restena.lu DNSKEY
[...]
; No keys with the keytag and algorithm from the RRSIG found for id = 0,
owner = dnssec.lu.
or
./drill -k temp.ds -D dnssec.lu @ns1.restena.lu SOA
; The signature does not cover this RRset for id = 0, owner = dnssec.lu.
temp.ds contains records in the form:
dnssec.lu. IN DS 21851 8 2
4cdbd90d2c6656427cb5e8e87571c704d8672a56a023df5e8a8111410a4e9176
<keyfile> with DNSKEYs works perfectly btw.
Any suggestions what I'm doing wrong?
Best,
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the ldns-users
mailing list