I was writing some hashing to create DS records code when I noticed
in the RFC-3658 https://tools.ietf.org/html/rfc3658#section-2.4
The key tag is calculated as specified in RFC 2535. Algorithm MUST
be allowed to sign DNS data. The digest type is an identifier for
the digest algorithm used. The digest is calculated over the
canonical name of the delegated domain name followed by the whole
RDATA of the KEY record (all four fields).
digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata)
KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
Digest type value 0 is reserved, value 1 is SHA-1, and reserving
other types requires IETF standards action. For interoperability
reasons, keeping number of digest algorithms low is strongly
RECOMMENDED. The only reason to reserve additional digest types is
to increase security.
DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. The indicated KEY records protocol field MUST
be set to 3; flag field bit 7 MUST be set to 1. The value of other
flag bits is not significant for the purposes of this document.
It talks about "KEY record" and "KEY RR" and "KEY records". This should
really be "DNSKEY record", "DNSKEY RR" and "DNSKEY records".
Should an errata be filed for this?
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
