[Opendnssec-user] Key tag miscalculation?

[Paul Wouters]

I have the current bind-based key set:
 dig +multi dnskey hacklab.to 
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> +multi dnskey
hacklab.to
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31983
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hacklab.to.            IN DNSKEY

;; ANSWER SECTION:
hacklab.to.             3600 IN DNSKEY 256 3 7 (
                                BQEAAAABx40rbmkAmztlEyW1vfV9Rc4FJ9b+q4CAKka2
                                Tpo2Fj/mEvD+5FX6oqgGLD78Tdyo8nSMTjCqOzFRIPFl
                                fcHTg713tvQIV6SINjCK+s1LghW9LB07xXUj7Lsxv+rH
                                Lxdj0Vm6lPbI4XUU2bP/snskSFjqz/8/Eg5wc3S70GTh
                                t6c=
                                ) ; key id = 50014
hacklab.to.             3600 IN DNSKEY 256 3 7 (
                                BQEAAAAB5kSp7mZgqN1Ij4SqfzSxJRZHQHMlcEx7g5GD
                                UBL9CzuUGh+S8lviYVJvcFk0ItVxHPA0heJ9O9ktzRED
                                xGNJBUSQq7mhdHWztO+2Cn3oJFXYsksT8SMHN0y5aSL2
                                uN7K5mf0dsbdXzJkKRx96Swv+tis7oAbgKi+ezwzpTh6
                                DhU=
                                ) ; key id = 31840
hacklab.to.             3600 IN DNSKEY 257 3 7 (
                                AwEAAc9TkaMBxWw1Ib7xLzj5rfjkudp0u1I4InRM5sNq
                                HwfqW2fdt3x48uaiVbE97wITjOJYfLX0urvd4oh2V0xF
                                O+qtfWoZGt5gh0pPY9s15NHSA/JqtqGQpPyYZJo5DS5M
                                5KsU3GHfVoX7kB/wR3F0N2mPfNpzw+l/NZ6HnWYPovH4
                                JioVABUSK891CqZL4lKnWQ2TBWJHXz3rApeUIrdcfYaV
                                8AmWr3b2ISiM1UPXCfJvc9GjImdCPPkaRG/Q5P76A1vO
                                MbJbI44sEuuEpP+i1LGPbE8uCMwHrukqjCbi/J4U0Ery
                                CwVe0HbouHFgE25Jri67bMrJ3XvnNqxUhvxDKGk=
                                ) ; key id = 10416

;; Query time: 3 msec
;; SERVER: 193.110.157.123#53(193.110.157.123)
;; WHEN: Wed Dec 21 14:47:02 2011
;; MSG SIZE  rcvd: 604

After importing these into opendnssec:

[r...@hacklab.to]# ods-ksmutil key list --verbose
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next 
transition:  CKA_ID:                           Repository: Keytag:
hacklab.to                      KSK           active    2011-10-10 00:00:00     
  A9                                SoftHSM 10414
hacklab.to                      ZSK           retire    2011-12-29 03:45:24     
  AA                                SoftHSM 31838
hacklab.to                      ZSK           active    2012-01-20 14:45:24     
  AB                                SoftHSM 50012

Note how the key tags are of-by-two

If it matters, there are RSASHA1 keys.

Paul
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user