Hey guys, I am looking for a little assistance. I am trying to setup
aws, that’s my registrar. I have zero experience in this area. I was going to put screen shots of
aws console, but being a
discourse rookie is no fun
I am just trying to correlate the information from MiAB admin prompt to my registrar. Hopefully somebody could assist with a quick tutorial?
Any help is much appreciated!
Try listing the fields offered in the AWS interface.
Alright, so when I go to
aws, under the
DNSSEC this is the very first portion. It seems like there are 2 steps.
- I then click under
Enable DSNSEC signing
- The second screen is where I get lost. None of the settings here seem to correlate to
- Section 2 is selected by default. And with that there are even less settings.
Okay, I’ve yet to actually deal with this, but when they are asking for them to sign the zone, I think they mean using keys generated by their service. Your zone is actually signed by MiaB, so you don’t need to head down any paths of creating keys.
You need to discover where to enter your own information into the interface. Note that MiaB does provide the Public Key for each algorithm and I suspect there is a reason for this.
Unfortunately, I am just not at all familiar with AWS.
Are you using Route 53 to host your DNS or is Route 53 merely the registrar? In other words, did you follow the glue record and hostname parts of the Mail-in-a-Box Setup Guide?
Are you using Route 53 to host your DNS or is Route 53 merely the registrar?
I think it’s both. All my setup is in
In other words, did you follow the glue record and hostname parts of the Mail-in-a-Box Setup Guide?
@supplyarray Both of your answers can’t be true. If Route 53 hosts your DNS, the none of the DNSSEC information provided by Mail-in-a-Box is relevant.
@JoshData I apologize, this is really not my realm. Please see below:
I think I got it. I was under the
hosted zone section. I went to the
registrar section, and there’s another
DNSSEC section there.
Key type: I can only choose
256 - ZSK and
257 - KSK. This does not seem to match however, the
Key Tag or
Key Flags in
Algorithm I do can choose
Then I would just add the
Public Key. Is that all?
Thanks for the support!
The Key Type is listed in MiaB as Key Flags and is 257 - KSK.
Based on what I see here, it seems like they are asking for the Public key, which I’m guessing is the Public Key stated in MiaB.
You should click the ‘Learn more’ link and see what is there.
@openletter This is the learn more link
Edit: Should I delete the key that’s already there?
There is no need to delete keys until everything is working properly, assuming they permit multiple keys, which they should as it is permitted to have multiple RRsets per RFC.
Specify the public key from the asymmetric key pair that you used to configure DNSSEC with your DNS service provider.
Note the following:
- Specify the public key, not the digest.
- You must specify the key in base64 format.
I think I guessed correctly, so paste in the public key from the MiaB interface for option 1. See what happens.
Use https://dnsviz.net to verity which keys are being used. Note it caches results for a long time (months, at least) so be sure to re-analyze after changes.
@openletter @JoshData Thanks much for the support. Adding the key in the last screen did it!
The analysis with https://dnsviz.net/ shows the 2 keys, and the warning signs are the same as
MiAB not to sign with algorithm 7.
Is it safe to get rid of the
I’m pretty sure if it the MiaB status checks see it, then it should be fine.
Understood. Issue solved then! Thanks again for the support!
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.