DNSKEY Validation
Chris Thompson
cet1 at cam.ac.uk
Wed Jul 15 11:36:17 UTC 2009
On Jul 14 2009, Mark Elkins wrote:
>On Tue, 2009-07-14 at 17:50 +1000, Mark Andrews wrote:
>> In message <1247555725.13064.4.camel at ilinux>, Mark Elkins writes:
>> > OK - so I accept that the algorithm will change.
>> >
>> > What about some sort of validation of the base-64 part of the key?
>> > Is there a checksum byte/word?
>> > Is there a way of checking that the length is correct?
>>
>> Have you thought of reading the RFCs which describe these records?
>> The answers to your questions are in the RFCs.
>
>For the record - have been looking at various definitions and at some
>RFC's - but the 'right thing' has not jumped out at me yet. Could some
>kind soul please point me at the latest RFC that describes the base-64
>part of the DNSREC resource record - how to checksum it and calculate
>that the length is correct.
Is it really that difficult?
RFC 4034 defines the DNSKEY record (among others).
Section 2.2 defines its presentation ("master file") format.
Appendix A defines the algorithm types (updated by RFC 5155
to define types 6 and 7).
Appendix B describes how to compute the tag ("checksum") for
a DNSKEY record.
All other necessary RFCs are cross-referenced from there:
RFC 3548 for base-64 encoding
RFC 3110 for the RSASHA1 (type 5/7) algorithm
RFC 2536 for the DSA (type 3/6) algorithm
others for more deprecated algorithms
(You do have to appreciate that where the latter refer to type KEY
records you should take them to cover DNSKEY ones as well.)
There is a limit to how much "validation" you can do on an RSASHA1
key record (the most popular type), absent the signatures that use it.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list