DS records in DNS: 8-bit key tag bug, limited algorithms


So… @MarkMeyer noticed that the dashboard supports creating a bunch of new record types. I tried delegating a subdomain to a different DNS service (me), signing it, and creating DS records.

I ran into a couple issues:

  1. When you try to set a key tag larger than 255, it says something like “Key tag must be between 0 and 255”. This is a bug: Key tags are 16 bits. They’re not limited to 255. (I assume they can be 0 - 65,535 inclusive, but I haven’t double checked the RFCs to confirm that 0 or 65,535 or somesuch aren’t excluded.)

  2. It only supports a really limited set of older algorithms: 1, 2, 3, 4 and 5, it seems. Please support all current algorithms. 4 and maybe 1 should be removed, too.

  3. It doesn’t explicitly say which digest algorithms are supported. So I’m left hoping SHA-256 works and wondering if GOST does.

Sorry for complaining about a feature that has barely just been added. :anguished:


Hi there - thanks for reporting this. I’ve sent it off to engineering and will let you know when it gets resolved.


Following up: we’ve fixed the bug in #1 and modified the system to accept all of the values for #2. On #3, we do support all current algorithms and are exploring the best way to communicate that in the UI.


It works now! :heart_eyes:

ds.mattnordhoff.net.    300     IN      DS      195 13 2 5B100ACC92BB4CF97A5970D844F12ECAC96BA96469B1CC546C1859A4 17B25FD3
ds.mattnordhoff.net.    300     IN      DS      23278 15 2 3BF0EA8F53D14A706F6083E788A56B1370D42750D7496F587808E718 FA4AB89C
ds.mattnordhoff.net.    300     IN      DS      27613 13 2 7D2FAC87B90599BCBABF75B4C90FBA1200CE91700E95F6CF20FC32E7 AD4DC8B8
ds.mattnordhoff.net.    300     IN      RRSIG   DS 13 3 300 20180706230000 20180704210000 35273 mattnordhoff.net. tm415F+ju5ZvXteINg22Y0qjF6RU0fstg/qGSr8CQFlLWlwDprxC2SEx aJvXFHGFSlAMg24usv6+W/m6BQRATA==

(That’s a test subdomain… I’ll probably delete it…)

Edit: Whoa! Timing!