On Aug 13, 2012, at 8:00 AM, wfXLtg== wrote: > Hi all, > Is there someone knows how to calculate DS RR? I find the formula in rfc > 4034, but get puzzled: > > " > The digest is calculated by concatenating the canonical form of the > fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, > and then applying the digest algorithm. > > digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); > > "|" denotes concatenation > > DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. > > " > If there is a DNSKEY RR as follows: > se. 3600 IN DNSKEY 257 3 5 > AwEAAZYYG1hpk8XKHNHpdO/E > Eg+r4YmIEC4Fn3x2DEsygxDuoT9d/QCi > X1pz0omFGCaVfCWHvaScVvWd4xP4kNDnSDQxBzPwLEXE3l0 > cLseMJ2YM QeBPf3hGhLs6VSDnGFKAzNG4fhri9EBTLv9ubL8Kx8cWQKuu3A5HRVD3 > li7lZB+0kmUKq > GiIQdERKt/Ec36BkK93lyGags5RrR2VDdrXCj9Yay90 > KCKITk52AbwVoMPm0OYlPbD4ViBPMk5nmh/d > PeCoZoVJxgANZ/doVQxR 5vDkMBYxuhrXuQk3CvZBB011NsXxk9yHtHvp/5gjUVJjvhdRvjRB6/xY > R0 > 3c9owi/aM= > > How to calculate ds using the formula above? > Is "1(se.|257|3|5|AwEAAZYYG1hpk8XK...)" right for sha-1 ? But I know it's > wrong. > I have tried many other forms but haven't get the right result yet, is there > anyone > knows how to do it?
Yup, here goes: DNSSEC using shell commands ;-) Effectively, the digest is calculated over the following fields, concatenated: DNSKEY owner name: se. (0x 02736500) Flags: 257 (0x0101) Protocol: 3 (0x03) Algorithm: 5 (0x05) Public Key: Aw…… The first four fields, in hex are as follows: 02736500 0101 03 05, dump that into a file: echo -n "0273650001010305" > first_part Convert the dnskey blurb to hex using base64 and xxd (unix tools): echo -n 'AwEAAZYYG1hpk8XKHNHpdO/EEg+r4YmIEC4Fn3x2DEsygxDuoT9d/QCi X1pz0omFGCaVfCWHvaScVvWd4xP4kNDnSDQxBzPwLEXE3l0cLseMJ2YM QeBPf3hGhLs6VSDnGFKAzNG4fhri9EBTLv9ubL8Kx8cWQKuu3A5HRVD3 li7lZB+0kmUKqGiIQdERKt/Ec36BkK93lyGags5RrR2VDdrXCj9Yay90 KCKITk52AbwVoMPm0OYlPbD4ViBPMk5nmh/dPeCoZoVJxgANZ/doVQxR 5vDkMBYxuhrXuQk3CvZBB011NsXxk9yHtHvp/5gjUVJjvhdRvjRB6/xY R03c9owi/aM=' |base64 -D -i- |xxd -ps > second_part Now convert the hexdumps to binary, pipe it through shasum, and we're done: cat first_part second_part|xxd -r -p|shasum -a 256 Which results in: 44388b3de9a22cafa8a12883f60a0f984472d0dfef0f63ed59a29be018658b28 - which is the same as: dig +short se ds|awk '{print $4 $5}' 44388B3DE9A22CAFA8A12883F60A0F984472D0DFEF0F63ED59A29BE018658B28 Hope this helps Roy Arends Nominet UK > > Best regards, > Stuart > > > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user