IPSECKEY RRs?

Mark Andrews marka at isc.org
Fri Dec 21 05:56:52 UTC 2012 

In message <5204CCDF4424E7419D7889FE1E74593532C82605 at SMAILDAG10.wstw.energy-it.net>, Melbinger Christian writes:
> Hi
> 
> Does anyone have experience with a IPSECKEY RR? Especially how to make 
> one?
> 
> Why do I need one, you ask?
> Well, it's my best guest. I have to create a site2site vpn tunnel between 
> a Westermo GPRS-Modem and a Checkpoint Firewall, and the Modem does not 
> accept the certificate.
> Instead it logs: "no RSA public key known for '62.99.190.155'; DNS search 
> for KEY failed (failure querying DNS for KEY of 
> 155.190.99.62.in-addr.arpa.: Host name lookup failure)"
> 
> 
> I found an example of such an RR on the interwebs, it looks like this:
> 38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
>                     192.0.2.38
>                     AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
> My BIND 9.8.2 accepts this record, but of course I need the correct one, 
> not the example.
> So, does anyone know how to convert the public key of my certificate into 
> a signature like this?

You can just extract the RSA key from the CERT.  Replace exponent and mantisa
below and run the following perl script to generate the base64 encode key.

Mark

use MIME::Base64;

$exponent = "03";
$mantisa = "51  53  79  86  ed  35  53  3b  60  64  47  8e  ee  b2 7b  5b  d7  4d  ae  14  9b  6e  81  ba  3a  05  21  af  82  ab  78  01";

# strip white space
$exponent =~ s/\s//g;
$mantisa =~ s/\s//g;

#convert to binary
$exponent = pack("H*", $exponent);
$mantisa = pack("H*", $mantisa);

#paste the key compentents together
$data = '';
if (length($exponent) < 256) {
        $data .= pack("C", length($exponent));
} else {
        $data .= pack("Cn", 0, length($exponent));
}
$data .= $exponent;
$data .= $mantisa;

# base64 encode and print
print encode_base64($data)."\n";


> Here some additional information:
> 
> Logentries of the Mestermo MRD-310:
> <84>Dec 18 16:51:25 pluto16214: "VPN_ASA_TM0" #1: Main mode peer ID is 
> ID_IPV4_ADDR: '62.99.190.155'
> <84>Dec 18 16:51:25 pluto16214: "VPN_ASA_TM0" #1: issuer cacert not found
> <84>Dec 18 16:51:25 pluto16214: "VPN_ASA_TM0" #1: X.509 certificate 
> rejected
> <84>Dec 18 16:51:25 pluto16214: "VPN_ASA_TM0" #1: issuer cacert not found
> <84>Dec 18 16:51:25 pluto16214: "VPN_ASA_TM0" #1: X.509 certificate 
> rejected
> <84>Dec 18 16:51:26 pluto16214: "VPN_ASA_TM0" #1: no RSA public key known 
> for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for 
> KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure)
> <84>Dec 18 16:51:26 pluto16214: "VPN_ASA_TM0" #1: sending encrypted 
> notification INVALID_KEY_INFORMATION to 62.99.190.155:500
> 
> 
> IPSECKEY rfc:
> https://tools.ietf.org/html/rfc4025
> 
> 
> Thanks!
> 
> ---
> Ing. Christian Melbinger
> Netzwerk & Security
> 
> WienIT EDV Dienstleistungsgesellschaft mbH & Co KG
> A-1030 Wien, Thomas-Klestil-Platz 6
> tel: +43 (1) 90405 47188
> fax: +43 (1) 90405 88 47188
> mailto:christian.melbinger at wienit.at
> 
> __________________________________________________________________________
> __
> 
> WienIT EDV Dienstleistungsgesellschaft mbH & Co KG, A-1030 Wien, 
> Thomas-Klestil-Platz 6,
> FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
> Persnlich haftender Gesellschafter:
> WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, 
> Thomas-Klestil-Platz 6,
> FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list