convert Knot DNS sigantures certs to BIND format.

Tony Finch dot at dotat.at
Thu Mar 14 13:54:42 UTC 2019 

Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote:
>
> When I tried to re-sign my zone in BIND by Webmin, then I get this error
> message below. My original "keytag" is 43121. I don´t understand, where is
> written information like example.com/ECDSAP256SHA256/45623

BIND often does not refer to key files by filename, so it helps if you
know how the mnemonic description of the key maps to the filenames. In
this case, example.com/ECDSAP256SHA256/45623 corresponds to
Kexample.com+013+45623.key and .private - 13 is the algorithm number for
ecdsa256 and 45623 is the key tag.

> dnssec-signzone: warning: dns_dnssec_keylistfromrdataset:
> error reading private key file example.com/ECDSAP256SHA256/45623:
> file not found

I think this means there is a DNSKEY record in the zone with tag 45623, so
dnssec-signzone is looking for the corresponding private key file.

> dnssec-signzone: warning: dns_dnssec_keylistfromrdataset:
> error reading private key file example.com/ECDSAP256SHA256/43121:
> private key is invalid

This error happens if there's a cryptographic mismatch between the private
key and the public key.

The unexpected key tag might be caused by the same mismatch, but I can't
be sure about that.

It might help if I go through the details of the parts I omitted from the
end of my previous message.

Remember, I had:

$ cat /var/lib/knot/keys/zone_example.com.json
{
  "policy": "\u0006policy",
  "nsec3_salt": null,
  "nsec3_salt_created": null,
  "keys": [
    {
      "id": "c3e8539dc582bb2ceeca0ab9fb7b89d521a4f658",
      "keytag": 19633,
      "algorithm": 13,
      "public_key": "h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6gcXKJddCM3EVcGIv9u25TQSHQ7SrA==",
      "ksk": false,
      "created": "2019-03-12T15:44:02+0000"
    }
  ]
}

$ openssl ec -outform der </var/lib/knot/keys/keys/c3e8539dc582bb2ceeca0ab9fb7b89d521a4f658.pem |
    perl -Mv5.10 -MMIME::Base64 -e '
	undef $/; my $k = <STDIN>;
	print encode_base64 substr $k, 7, 32;
	print encode_base64 substr $k, -64;'
read EC key
writing EC key
9WCSrP5vSTrPMrMWISz3N0aU6wZPcRHxcZKE9g0Wc94=
h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6gcXKJddCM3EVcGIv9u2
5TQSHQ7SrA==

The JSON metadata says "algorithm": 13, "ksk": false, so I run

$ dnssec-keygen -a 13 example.com
Generating key pair.
Kexample.com.+013+11891

(If ksk is true then I need to add the -f KSK option.)

The JSON says "keytag": 19633, so I run

$ mv Kexample.com.+013+11891.key Kexample.com.+013+19633.key
$ mv Kexample.com.+013+11891.private Kexample.com.+013+19633.private

Now I need to edit the files.

In the .key file I change the keyid (aka keytag) and the public key to
match the JSON metadata. Note that the public key is very long, and you
need to avoid unwanted line breaks. (The perl magic ouput has an unwanted
line break so you might prefer to use the blob from the JSON.)

Before:

$ cat Kexample.com.+013+19633.key
; This is a zone-signing key, keyid 11891, for example.com.
; Created: 20190314133836 (Thu Mar 14 13:38:36 2019)
; Publish: 20190314133836 (Thu Mar 14 13:38:36 2019)
; Activate: 20190314133836 (Thu Mar 14 13:38:36 2019)
example.com. IN DNSKEY 256 3 13 1cZ3gTd2P3su+pWjBj+wGjGsWt22T/cZmlxrwB1Be91lW0BvrOHN1SDZ togkoCBsdb70zj2//W6QQQcgQudVEQ==

After:

$ cat Kexample.com.+013+19633.key
; This is a zone-signing key, keyid 19633, for example.com.
; Created: 20190314133836 (Thu Mar 14 13:38:36 2019)
; Publish: 20190314133836 (Thu Mar 14 13:38:36 2019)
; Activate: 20190314133836 (Thu Mar 14 13:38:36 2019)
example.com. IN DNSKEY 256 3 13 h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6gcXKJddCM3EVcGIv9u25TQSHQ7SrA==

I also need to change the private key to match the output from the perl magic.

Before:

$ cat Kexample.com.+013+19633.private
Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: ysGhvWvE6fJcTxC9d9FXPn4qYuVkILE7l3Ei5VS2pMs=
Created: 20190314133836
Publish: 20190314133836
Activate: 20190314133836

After:

$ cat Kexample.com.+013+19633.private
Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: 9WCSrP5vSTrPMrMWISz3N0aU6wZPcRHxcZKE9g0Wc94=
Created: 20190314133836
Publish: 20190314133836
Activate: 20190314133836

Now I should be able to sign the zone. I'm using the -S smart signing
option, and -P to suppress the error that is reported because my zone has
no KSK.

$ dnssec-signzone -S -P example.com
Fetching ZSK 19633/ECDSAP256SHA256 from key repository.
example.com.signed

Done.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking: Variable 3 or less, becoming southwest 4 or 5, occasionally 6 later.
Moderate or rough. Showers then rain. Good, occasionally poor.

More information about the bind-users mailing list