Key ID from DNSKEY - how?
Casey Deccio
casey at deccio.net
Wed Oct 27 18:21:33 UTC 2010
On Wed, Oct 27, 2010 at 10:46 AM, Mark Elkins <mje at posix.co.za> wrote:
> I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
> do this in PHP as this is inside some existing PHP (Web) scripts but I
> guess calling a C program would not be too inconvenient.
>
See RFC 4034, Appendix B (http://tools.ietf.org/html/rfc4034#appendix-B )
> I'd like to index records (ie DNSKEY and DS Records) according to their
> Key-ID - and present them grouped by Key-ID. DS keys are usually
> presented with their Key-ID - so are less problematic.
The key tag field in a DS RR is the key tag value computed from the
DNSKEY RR to which it corresponds in the child zone.
> Side issue - the RFC description for a DS Record on the wire
> gives the first 16 bytes as the Key-ID, followed by (8-bit)
> Algorithm, (8-bit) Digest type and (32 bytes - or so) Digest. Is
> all this info encoded into the Base-64 stuff that one can see as
> ascii in a zone? ... or is the base-64 ascii stuff just the
> Digest?
>
See below for explanation of the following queries:
$ dig +short org ds
21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA
$ dig +noall +answer +multi org dnskey
;; Truncated, retrying in TCP mode.
org. 383 IN DNSKEY 257 3 7 (
AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+
Tz6X2fqzDC1bdq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G
1GdbjQgbP1OyYIG7OHTc4hv5T2NlyWr6k6QFz98Q4zwF
IGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsUACxlidpw
B0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4h
L1jIR2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnC
uxkfS4AQ485KH2tpdbWcCopLJZs6tw8q3jWcpTGzdh/v
3xdYfNpQNcPImFlxAun3BtORPA2r8ti6MNoJEHU=
) ; key id = 9795
org. 383 IN DNSKEY 256 3 7 (
AwEAAa1gQwarOzgSbmhYj2eRUf/1RcHuAed0zlnAmqJY
ELF6iUGfPNSBfD0QDilro3Dxc307zVONrTK7qnWtaHXH
NDFVbB3+qDs1E+9tUjfKt9OuFQBQuGSlVvnM7O5ASbxs
Ex/8ms3mQFDCt4nTUmcELQGVE/EwLcDjxAUAmYBW9bQN
) ; key id = 61598
org. 383 IN DNSKEY 256 3 7 (
AwEAAfyGacR9k8f85+1XqM6qLTLwdAEQDHUJJbScMrqq
XesZN6GFZDqn4zahg2GllxlHbGMuQJsWXSotq2Jp1Khe
/fp1547v0k2jnOaFv/18wLBmUGSQNNTWpBgp8Yzu8BOw
18kHmbXpQeju2mk6bHgiL7HkJfFoV1nsSTh15q92d5IR
) ; key id = 245
org. 383 IN DNSKEY 257 3 7 (
AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo
dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm
GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A
bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t
XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m
x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj
CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj
DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU=
) ; key id = 21366
The first value in the DS RR (21366) is the 16-bit key tag value
computed from the org DNSKEY last in the list below. The second value
(7) corresponds to the algorithm of this DNSKEY RR. The last field is
the hex representation of the SHA-256 digest (designated by value "2"
in the digest algorithm field of the DS RR) of DNSKEY RR 21366.
> I'd love to be able to validate both DS and DNSKEY records that
> people give me but I am still floundering around amongst the
> DNSSEC RFC's...
>
> I understand that key-ID's are not necessarily unique but as I'd usually
> not have more than about 4 or so in any one domain - I'm hoping that
> statistics will be with me 99.95% of the time.
>
>From RFC 4034, section 8:
The key tag is used to help select DNSKEY resource records
efficiently, but it does not uniquely identify a single DNSKEY
resource record. It is possible for two distinct DNSKEY RRs to have
the same owner name, the same algorithm type, and the same key tag.
An implementation that uses only the key tag to select a DNSKEY RR
might select the wrong public key in some circumstances. Please see
Appendix B for further details.
> Anyway - does anyone have existing code snippets that might assist me?
See the code snippet in the RFC for starters.
Casey
More information about the bind-users
mailing list