Hi inetipti,
Thanks! I confirmed that the key you posted is indeed the right one for your domain.
There should be no issue, and it looks like your registrar has some kind of bug in their software. This is very unfortunate, but not atypical for DNSSEC implementations
You are correct that the ==
do belong to the key. However, they carry no information: base64-encoded data by convention uses a multiple of 4 characters. Your key has 86 characters, which is not a multiple of 4, so two padding characters are added. Itâs like leading zeros in a number, except itâs at the end of the string. â Some base64 implementations (the more rigorous ones) insist that the padding characters are there. Itâs fine to use such an implementation, but then they have to make sure that the =
characters donât get lost earlier on the way.
I suggest you point out to them that the DNSKEY is indeed correct, and that you noticed the missing characters in the error message. You can further strengthen your correctness claim by posting this result from the dig
DNS query tool:
$ dig DNSKEY pibit.de @ns1.desec.io
; <<>> DiG 9.16.1-Ubuntu <<>> DNSKEY pibit.de @ns1.desec.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12953
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pibit.de. IN DNSKEY
;; ANSWER SECTION:
pibit.de. 3600 IN DNSKEY 257 3 13 2XdmWivRYYuYXQmQvigB8lPPfFVZQXcNIVQeBJ+xjuOa2q+gVyedqdjP wIUb/VOfsXl0UNtoiIzoaB6hslmu+A==
;; Query time: 28 msec
;; SERVER: 45.54.76.1#53(45.54.76.1)
;; WHEN: Mon Jun 07 11:55:40 CEST 2021
;; MSG SIZE rcvd: 117
The DNSKEY record is listed there, and you can see itâs the same (the extra space is a âdisplay spaceâ only and means nothing).
(Some registrars also get the DNSKEY this way from the DNS, so you donât have to provide it manually. However, itâs good that your registrar doesnât do that, as DNSKEY retrieval via DNS is only secure after you turned on DNSSEC â so thereâs a chicken-egg problem here.)
If your registrar canât fix their bug, feel free to get back to me and Iâll give you a recommendation that will work smoothly.
Stay secure,
Peter