On Jul 14 2009, Mark Elkins wrote:
On Tue, 2009-07-14 at 17:50 +1000, Mark Andrews wrote:
In message <1247555725.13064.4.ca...@ilinux>, Mark Elkins writes:
> OK - so I accept that the algorithm will change.
>
> What about some sort of validation of the base-64 part of the key?
> Is there a checksum byte/word?
> Is there a way of checking that the length is correct?
Have you thought of reading the RFCs which describe these records?
The answers to your questions are in the RFCs.
For the record - have been looking at various definitions and at some
RFC's - but the 'right thing' has not jumped out at me yet. Could some
kind soul please point me at the latest RFC that describes the base-64
part of the DNSREC resource record - how to checksum it and calculate
that the length is correct.
Is it really that difficult?
RFC 4034 defines the DNSKEY record (among others).
Section 2.2 defines its presentation ("master file") format.
Appendix A defines the algorithm types (updated by RFC 5155
to define types 6 and 7).
Appendix B describes how to compute the tag ("checksum") for
a DNSKEY record.
All other necessary RFCs are cross-referenced from there:
RFC 3548 for base-64 encoding
RFC 3110 for the RSASHA1 (type 5/7) algorithm
RFC 2536 for the DSA (type 3/6) algorithm
others for more deprecated algorithms
(You do have to appreciate that where the latter refer to type KEY
records you should take them to cover DNSKEY ones as well.)
There is a limit to how much "validation" you can do on an RSASHA1
key record (the most popular type), absent the signatures that use it.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
