0
dig -v
DiG 9.9.4-RedHat-9.9.4-18.el7_1.1

That's the version of dig. When I use it to query DS information, it inserts a space into the digest result for type 2 digests:

dig DS domblogger.net. +short
2085 7 2 E3E1BEF53CF187DFA6B0AE1C5CE93AF9D597A64C97317A9A1E45C6A6 03E10D32
2085 7 1 3F3FBE538DA52E982299D7E7BA13A35400536C11

You can see the space before the 03E10D32 for the type 2 digest, probably because of its length.

I've looked at the man page and googled around, I can't seem to find what option to pass to dig to get it to not insert that space. It also does it with a few other record types as well related to DNSSEC.

I can fix it post query in my script but it sure would be nice if I could just pass it an option where I don't have to. Any help would be appreciated.

Alice Wonder
  • 896
  • 2
  • 9
  • 17

2 Answers2

1

The behavior you observed was not how it was intended to work, and has now been corrected.

The change will be in future releases of BIND 9.9, 9.10, and (when released) BIND 9.11 but if you want it now you can retrieve a diff from the ISC public git repository.

This is change you want:

4101.   [bug]   dig: the +split option didn't work with +short.
[RT #39291]

and I believe this link will take you directly to the diff in the ISC gitweb viewer.

Michael McNally
  • 141
  • 2
0

Whitespace in the digest hex string in DS presentation format is explicitly allowed (see RFC 4034 section 5.3), so your code pretty much have to be able to deal with it.

Calle Dybedahl
  • 5,228
  • 2
  • 18
  • 22
  • White space is allowed but I was asking if there was a way to specify that it isn't there, makes it easier to do a simple grep -c to see if a DS record is being reported during key rollover. – Alice Wonder Apr 16 '15 at 13:23