Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What does Error: multiple DS with keytag: 53376 mean #21

Closed
emdee-is opened this issue Nov 12, 2022 · 6 comments
Closed

What does Error: multiple DS with keytag: 53376 mean #21

emdee-is opened this issue Nov 12, 2022 · 6 comments
Assignees
@metebalci
Labels
enhancement New feature or request

Comments

@emdee-is
Copy link

I got this error on kryptonit.org


INFO: validating answers
INFO: validating org DS with . DNSKEY
OK RRSIG (DS, RSASHA256) with DNSKEY (18733, RSASHA256)
INFO: validating . DNSKEY with . DS (trust anchor)
OK RRSIG (DNSKEY, RSASHA256) with DNSKEY (20326, RSASHA256)
OK DNSKEY (20326, RSASHA256) with DS (SHA-256)
INFO: validating org DNSKEY with org DS
OK RRSIG (DNSKEY, RSASHA256) with DNSKEY (26974, RSASHA256)
OK DNSKEY (26974, RSASHA256) with DS (SHA-256)
DBUG: validating kryptonit.org DNSKEY with kryptonit.org DS
OK RRSIG (DNSKEY, ECDSAP256SHA256) with DNSKEY (53376, ECDSAP256SHA256)
Error: multiple DS with keytag: 53376

I know it's a tool for experts, but documentation a few of the most common errors in the except: clauses of ___main__.py would help people like me who have never used DNSsec before.

It might also go in a testsuite to make sure you are raising errors on know bad domains.
@emdee-is
Copy link
Author

emdee-is commented Nov 12, 2022
edited
Loading

Same with pineapple.cx

Error: RRSIG is not valid anymore

Does that mean expired?

@metebalci
Copy link
Owner

metebalci commented Nov 13, 2022
edited
Loading

I think multiple DS with same keytag is clear enough but I should clarify "is not valid anymore".

I very much agree about having a full testsuite but it is difficult/time-consuming the generate such a testsuite, as the errors normally does not happen (DNS servers do these automatically), so probably it should be generated manually. Added #22 for this

@metebalci metebalci self-assigned this Nov 13, 2022
@metebalci metebalci added the enhancement New feature or request label Nov 13, 2022
@emdee-is
Copy link
Author

I'm new at DNSsec so my question is even more basic:
is DS with same keytag good or bad?

Should keytags be unique?

Is in an indication that one keytag holder is impersonating another?

The set of test domains I use are suspected to be bad somehow.

@emdee-is
Copy link
Author

Error: RRSIG is not valid anymore

Is that bad like an expired certificate? Is there an expiry date you can show?

@metebalci
Copy link
Owner

This is exactly my point, you need to know about DNSSEC to use this tool, or you should be learning about DNSSEC while using it e.g. while learning my blog post.

@metebalci
Copy link
Owner

Yes it is like an expired certificate. Fixed with ca4aed2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@metebalci metebalci

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metebalci @emdee-is