How to check DNSKEY using appropriate DS
The DNSKEY on a name server can be verified using its DS stored on its parent name server. As per RFC4034: The DS record refers to the DNSKEY RR, including the digest of that DNSKEY RR.
The collection is computed by combining the canonical form of the fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, and then applying the digest algorithm.
digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
"|" denotes concatenation
DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
The following example shows the DNSKEY RR and the corresponding DS RR.
dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
fwJr1AYtsmx3TGkJaNXVbfi/
2pHm822aJ5iI9BMzNXxeYCmZ
DRD99WYwYqUSdjMmmAphXdvx
egXd/M5+X7OrzKBaMbCVdFLU
Uh6DhweJBjEVv5f2wwjM9Xzc
nOf+EPbtG9DMBmADjFDc2w/r
ljwvFw==
) ; key id = 60485
dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
98631FAD1A292118 )
Can anyone explain to me how to create a DS based on DNSKEY? My specific question is, how am I supposed to concatenate and generate "DNSKEY RDATA"? Thanks in advance.
source to share
According to the information on this page :
Effectively, the digest is computed over the following fields, concatenated:
DNSKEY owner name: se. (0x 02736500) Flags: 257 (0x0101) Protocol: 3 (0x03) Algorithm: 5 (0x05) Public Key: Aw ......
The first four fields are in hexadecimal: 02736500 0101 03 05,
My question was how the DNSKEY Domain Name value (in this case se.) Can be calculated. The concept I did not know was "wire format". Fortunately, Roy Arends from Nominet, UK, explained to me what it is:
The domain name in "wireformat" is a set of labels, where each label is preceded by a length value and ends with an empty label (value 0x00)
For "se." wire format: 02 (length "se") then 73 65 (hexadecimal representation of the ascii values for "s" and "e" followed by a blank label (value 00): 0x 02 73 65 00
For root ("."), The value is 00, so it will be 0x00
"dnssec-tools" is 12 characters long, so the length value is 0c, then the hexadecimal representation of the dnssec tools ascii: 64 6e 73 73 65 63 2d 74 6f 6f 6c 73 "org" is 3 characters long, so the length value is: 03 then the ascii representation of org in hex: 6f 72 67 followed by an empty label: 00
total: "dnssec-tools.org". is 0x0c646e737365632d746f6f6c73036f726700
Thanks to agian Roy.
source to share