Thanks! I confirmed that the key you posted is indeed the right one for your domain.
There should be no issue, and it looks like your registrar has some kind of bug in their software. This is very unfortunate, but not atypical for DNSSEC implementations
You are correct that the
== do belong to the key. However, they carry no information: base64-encoded data by convention uses a multiple of 4 characters. Your key has 86 characters, which is not a multiple of 4, so two padding characters are added. It’s like leading zeros in a number, except it’s at the end of the string. – Some base64 implementations (the more rigorous ones) insist that the padding characters are there. It’s fine to use such an implementation, but then they have to make sure that the
= characters don’t get lost earlier on the way.
I suggest you point out to them that the DNSKEY is indeed correct, and that you noticed the missing characters in the error message. You can further strengthen your correctness claim by posting this result from the
dig DNS query tool:
$ dig DNSKEY pibit.de @ns1.desec.io
; <<>> DiG 9.16.1-Ubuntu <<>> DNSKEY pibit.de @ns1.desec.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12953
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pibit.de. IN DNSKEY
;; ANSWER SECTION:
pibit.de. 3600 IN DNSKEY 257 3 13 2XdmWivRYYuYXQmQvigB8lPPfFVZQXcNIVQeBJ+xjuOa2q+gVyedqdjP wIUb/VOfsXl0UNtoiIzoaB6hslmu+A==
;; Query time: 28 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Mon Jun 07 11:55:40 CEST 2021
;; MSG SIZE rcvd: 117
The DNSKEY record is listed there, and you can see it’s the same (the extra space is a “display space” only and means nothing).
(Some registrars also get the DNSKEY this way from the DNS, so you don’t have to provide it manually. However, it’s good that your registrar doesn’t do that, as DNSKEY retrieval via DNS is only secure after you turned on DNSSEC – so there’s a chicken-egg problem here.)
If your registrar can’t fix their bug, feel free to get back to me and I’ll give you a recommendation that will work smoothly.