DNSSEC on .de-domain with united-domains.de

Managed DNS Hosting
8

Hi inetipti,

Thanks! I confirmed that the key you posted is indeed the right one for your domain.

There should be no issue, and it looks like your registrar has some kind of bug in their software. This is very unfortunate, but not atypical for DNSSEC implementations :frowning:

You are correct that the == do belong to the key. However, they carry no information: base64-encoded data by convention uses a multiple of 4 characters. Your key has 86 characters, which is not a multiple of 4, so two padding characters are added. Itā€™s like leading zeros in a number, except itā€™s at the end of the string. ā€“ Some base64 implementations (the more rigorous ones) insist that the padding characters are there. Itā€™s fine to use such an implementation, but then they have to make sure that the = characters donā€™t get lost earlier on the way. :slight_smile:

I suggest you point out to them that the DNSKEY is indeed correct, and that you noticed the missing characters in the error message. You can further strengthen your correctness claim by posting this result from the dig DNS query tool:

$ dig DNSKEY pibit.de @ns1.desec.io

; <<>> DiG 9.16.1-Ubuntu <<>> DNSKEY pibit.de @ns1.desec.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12953
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pibit.de.			IN	DNSKEY

;; ANSWER SECTION:
pibit.de.		3600	IN	DNSKEY	257 3 13 2XdmWivRYYuYXQmQvigB8lPPfFVZQXcNIVQeBJ+xjuOa2q+gVyedqdjP wIUb/VOfsXl0UNtoiIzoaB6hslmu+A==

;; Query time: 28 msec
;; SERVER: 45.54.76.1#53(45.54.76.1)
;; WHEN: Mon Jun 07 11:55:40 CEST 2021
;; MSG SIZE  rcvd: 117

The DNSKEY record is listed there, and you can see itā€™s the same (the extra space is a ā€œdisplay spaceā€ only and means nothing).

(Some registrars also get the DNSKEY this way from the DNS, so you donā€™t have to provide it manually. However, itā€™s good that your registrar doesnā€™t do that, as DNSKEY retrieval via DNS is only secure after you turned on DNSSEC ā€“ so thereā€™s a chicken-egg problem here.)

If your registrar canā€™t fix their bug, feel free to get back to me and Iā€™ll give you a recommendation that will work smoothly.

Stay secure,
Peter