Hello, I have configured dnssec for several domains with some registers and everything works fine, but now I registered a domain on Ovh and I can't enter the DS record from their interface. The error is always “keyTag verification failed with given key data” Does anyone use Ovh? Have you been able to configure the DS record with them? Another question: I saw that on Ispconfig it is possible to enter a DS record. Can I enter it directly there? Is it the same as entering it through register? Thank you in advance for any answers
Have you contacted OVH support, sent them the record and asked them why the reject it wile other domain registrars are accepting that record? No, you must set it at the registrar.
Yes, they wrote me that everything is fine with them. At first that there are two records with two different flags. I replied to them that with other registers there is no problem. So they told me to reset the records and try again. And here another problem arises: how do I reset the dnssec record completely? I tried deleting the domain zone. I also tried deleting the zone in the bind folder (having made backups first) but when I recreate the dns for the domain it always comes back the same record with the same public key and everything. Thanks Till.
The key should get deleted when the zone gets removed. I've added a issue report for that: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6706 For now, delete the key in the bind zone file directory manually after removing the zone.
When I tried deleting them by hand then recreating the dns zone the dnssec record came back the same and the key files in the bind zone did not recreate. Can you confirm that there are four key files for each domain? I see (example) K*******.info.+013+59845.key K*******.info.+013+59845.private K*******.info.+013+2781.key K*******.info.+013+2781.private
Just for the record and if anyone ever has the same problem: I was able to recreate the keys for the dnssecs. I first cleared the dns area of the site. Then I deleted all the files that contained the affected domain in the name in the bind folder. After that I recreated the dns zone for the domain and recreated the dsnsec keys directly from the ispconfig interface. Unfortunately it still does not work on Ovh and I am waiting for a response from their support.
He who does it himself makes three, I don't know if this saying is used in other languages. I waited in vain for Ovh's help and by chance this morning I figured out how to do it. Code: DS-Records: #####.info. IN DS 1###### 13 2 A################# ###### ------------------------------------ DNSKEY-Records: ; This is a key-signing key, keyid 1######, for #######.info. ; Created: 20240528143201 (Tue May 28 14:32:01 2024) ; Publish: 20240528143201 (Tue May 28 14:32:01 2024) ; Activate: 20240528143201 (Tue May 28 14:32:01 2024) #######.info. IN DNSKEY 257 3 13 B############################# /#################== ; This is a zone-signing key, keyid 2####, for #######.info. ; Created: 20240528143201 (Tue May 28 14:32:01 2024) ; Publish: 20240528143201 (Tue May 28 14:32:01 2024) ; Activate: 20240528143201 (Tue May 28 14:32:01 2024) #########.info. IN DNSKEY 256 3 13 #######/#####################################== This is what ispconfig produces (masked) With other registers I used the first few lines keytag 1##### Algorithm 13 Digest Type 2 Digest A################# ###### (Pay attention to the space that Ispconfig leaves in the string, you need to remove it es. A###########################) With Ovh instead you have to do so: Key Tag 1###### Flag 257 - Key Signing Key (KSK) Algoritmo 13 - ECDSAP256SHA256 Public Key (base 64) B############### /########################### (Pay attention to the space that Ispconfig leaves in the string, you need to remove it )
