DNSKEY Validation
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sun Jul 12 21:13:48 UTC 2009
On Sun, Jul 12, 2009 at 08:42:27PM +0200,
Mark Elkins <mje at posix.co.za> wrote
a message of 31 lines which said:
> Arg 3 should be 5 (or maybe 3) - the algorithm.
No, you must bnot use a hard-wired list in your code, because the list
of algorithmps registered at IANA can change.
> Can I glean a domain name out of the base-64 stuff - or anything else
> useful - time stamps, etc?
Time stamps are in the RRSIG, not in the DNSKEY. DNSSEC keys have no
expiration.
> If I was instead just given a DS Key - how would I then get the
> corresponding DNSKEY?
You cannot, since the DS is a hash of the DNSKEY. If you could do it,
you would get the Field medal :-)
More information about the bind-users
mailing list