Clever Geek Handbook

How to check DNSKEY using appropriate DS

The DNSKEY on a name server can be verified using its DS stored on its parent name server. As per RFC4034: The DS record refers to the DNSKEY RR, including the digest of that DNSKEY RR.

The collection is computed by combining the canonical form of the fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, and then applying the digest algorithm.

 digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);

  "|" denotes concatenation

 DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.

The following example shows the DNSKEY RR and the corresponding DS RR.

   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
                                         fwJr1AYtsmx3TGkJaNXVbfi/
                                         2pHm822aJ5iI9BMzNXxeYCmZ
                                         DRD99WYwYqUSdjMmmAphXdvx
                                         egXd/M5+X7OrzKBaMbCVdFLU
                                         Uh6DhweJBjEVv5f2wwjM9Xzc
                                         nOf+EPbtG9DMBmADjFDc2w/r
                                         ljwvFw==
                                         ) ;  key id = 60485
   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
                                          98631FAD1A292118 )

Can anyone explain to me how to create a DS based on DNSKEY? My specific question is, how am I supposed to concatenate and generate "DNSKEY RDATA"? Thanks in advance.

+3


source to share


1 answer


According to the information on this page :

Effectively, the digest is computed over the following fields, concatenated:

DNSKEY owner name: se. (0x 02736500) Flags: 257 (0x0101) Protocol: 3 (0x03) Algorithm: 5 (0x05) Public Key: Aw ......

The first four fields are in hexadecimal: 02736500 0101 03 05,

My question was how the DNSKEY Domain Name value (in this case se.) Can be calculated. The concept I did not know was "wire format". Fortunately, Roy Arends from Nominet, UK, explained to me what it is:



The domain name in "wireformat" is a set of labels, where each label is preceded by a length value and ends with an empty label (value 0x00)

For "se." wire format: 02 (length "se") then 73 65 (hexadecimal representation of the ascii values ​​for "s" and "e" followed by a blank label (value 00): 0x 02 73 65 00

For root ("."), The value is 00, so it will be 0x00

"dnssec-tools" is 12 characters long, so the length value is 0c, then the hexadecimal representation of the dnssec tools ascii: 64 6e 73 73 65 63 2d 74 6f 6f 6c 73 "org" is 3 characters long, so the length value is: 03 then the ascii representation of org in hex: 6f 72 67 followed by an empty label: 00

total: "dnssec-tools.org". is 0x0c646e737365632d746f6f6c73036f726700

Thanks to agian Roy.

+3


source






More articles:


All Articles