Re: Key ID from DNSKEY - how?
On 10/27/2010 06:46 PM, Mark Elkins wrote: I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to do this in PHP as this is inside some existing PHP (Web) scripts but I guess calling a C program would not be too inconvenient. I use some Python code to do this in our debugging/management tools, translated straight from the RFC; it might convert pretty easily into PHP, although in my experience language number/bit-shift/overflow behaviour can be a bit... odd. def key2keytag(flags, alg1, alg2, keydata): data = struct.pack('!HBB', flags, alg1, alg2) data += keydata.decode('base64') v = 0 for i in range(len(data)): if i & 1: v += ord(data[i]) else: v += ord(data[i]) << 8 v += (v >> 16) & 0x return v & 0x Called like so: tag = key2tag(257, 3, 5, 'AwEAA...') Very handy during testing is: dig +multi domain.com DNSKEY ...which displays the tag as a comment. HTH ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Key ID from DNSKEY - how?
On 10/27/2010 1:46 PM, Mark Elkins wrote: > I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to > do this in PHP as this is inside some existing PHP (Web) scripts but I > guess calling a C program would not be too inconvenient. [...] > Anyway - does anyone have existing code snippets that might assist me? You may want to look at "dnssec-dsfromkey" AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Key ID from DNSKEY - how?
On Wed, Oct 27, 2010 at 10:46 AM, Mark Elkins wrote: > I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to > do this in PHP as this is inside some existing PHP (Web) scripts but I > guess calling a C program would not be too inconvenient. > See RFC 4034, Appendix B (http://tools.ietf.org/html/rfc4034#appendix-B ) > I'd like to index records (ie DNSKEY and DS Records) according to their > Key-ID - and present them grouped by Key-ID. DS keys are usually > presented with their Key-ID - so are less problematic. The key tag field in a DS RR is the key tag value computed from the DNSKEY RR to which it corresponds in the child zone. > Side issue - the RFC description for a DS Record on the wire > gives the first 16 bytes as the Key-ID, followed by (8-bit) > Algorithm, (8-bit) Digest type and (32 bytes - or so) Digest. Is > all this info encoded into the Base-64 stuff that one can see as > ascii in a zone? ... or is the base-64 ascii stuff just the > Digest? > See below for explanation of the following queries: $ dig +short org ds 21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA $ dig +noall +answer +multi org dnskey ;; Truncated, retrying in TCP mode. org.383 IN DNSKEY 257 3 7 ( AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+ Tz6X2fqzDC1bdq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G 1GdbjQgbP1OyYIG7OHTc4hv5T2NlyWr6k6QFz98Q4zwF IGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsUACxlidpw B0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4h L1jIR2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnC uxkfS4AQ485KH2tpdbWcCopLJZs6tw8q3jWcpTGzdh/v 3xdYfNpQNcPImFlxAun3BtORPA2r8ti6MNoJEHU= ) ; key id = 9795 org.383 IN DNSKEY 256 3 7 ( AwEAAa1gQwarOzgSbmhYj2eRUf/1RcHuAed0zlnAmqJY ELF6iUGfPNSBfD0QDilro3Dxc307zVONrTK7qnWtaHXH NDFVbB3+qDs1E+9tUjfKt9OuFQBQuGSlVvnM7O5ASbxs Ex/8ms3mQFDCt4nTUmcELQGVE/EwLcDjxAUAmYBW9bQN ) ; key id = 61598 org.383 IN DNSKEY 256 3 7 ( AwEAAfyGacR9k8f85+1XqM6qLTLwdAEQDHUJJbScMrqq XesZN6GFZDqn4zahg2GllxlHbGMuQJsWXSotq2Jp1Khe /fp1547v0k2jnOaFv/18wLBmUGSQNNTWpBgp8Yzu8BOw 18kHmbXpQeju2mk6bHgiL7HkJfFoV1nsSTh15q92d5IR ) ; key id = 245 org.383 IN DNSKEY 257 3 7 ( AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU= ) ; key id = 21366 The first value in the DS RR (21366) is the 16-bit key tag value computed from the org DNSKEY last in the list below. The second value (7) corresponds to the algorithm of this DNSKEY RR. The last field is the hex representation of the SHA-256 digest (designated by value "2" in the digest algorithm field of the DS RR) of DNSKEY RR 21366. > I'd love to be able to validate both DS and DNSKEY records that > people give me but I am still floundering around amongst the > DNSSEC RFC's... > > I understand that key-ID's are not necessarily unique but as I'd usually > not have more than about 4 or so in any one domain - I'm hoping that > statistics will be with me 99.95% of the time. > >From RFC 4034, section 8: The key tag is used to help select DNSKEY resource records efficiently, but it does not uniquely identify a single DNSKEY resource record. It is possible for two distinct DNSKEY RRs to have the same owner name, the same algorithm type, and the same key tag. An implementation that uses only the key tag to select a DNSKEY RR might select the wrong public key in some circumstances. Please see Appendix B for further details. > Anyway - does anyone have existing code snippets that might assist me? See the code snippet in the RFC for starters. Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Key ID from DNSKEY - how?
I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to do this in PHP as this is inside some existing PHP (Web) scripts but I guess calling a C program would not be too inconvenient. I'd like to index records (ie DNSKEY and DS Records) according to their Key-ID - and present them grouped by Key-ID. DS keys are usually presented with their Key-ID - so are less problematic. Side issue - the RFC description for a DS Record on the wire gives the first 16 bytes as the Key-ID, followed by (8-bit) Algorithm, (8-bit) Digest type and (32 bytes - or so) Digest. Is all this info encoded into the Base-64 stuff that one can see as ascii in a zone? ... or is the base-64 ascii stuff just the Digest? I'd love to be able to validate both DS and DNSKEY records that people give me but I am still floundering around amongst the DNSSEC RFC's... I understand that key-ID's are not necessarily unique but as I'd usually not have more than about 4 or so in any one domain - I'm hoping that statistics will be with me 99.95% of the time. Anyway - does anyone have existing code snippets that might assist me? -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users