Key ID from DNSKEY - how?

2010-10-27 Thread Mark Elkins 
I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
do this in PHP as this is inside some existing PHP (Web) scripts but I
guess calling a C program would not be too inconvenient.

I'd like to index records (ie DNSKEY and DS Records) according to their
Key-ID - and present them grouped by Key-ID. DS keys are usually
presented with their Key-ID - so are less problematic.

Side issue - the RFC description for a DS Record on the wire
gives the first 16 bytes as the Key-ID, followed by (8-bit)
Algorithm, (8-bit) Digest type and (32 bytes - or so) Digest. Is
all this info encoded into the Base-64 stuff that one can see as
ascii in a zone? ... or is the base-64 ascii stuff just the
Digest?

I'd love to be able to validate both DS and DNSKEY records that
people give me but I am still floundering around amongst the
DNSSEC RFC's...

I understand that key-ID's are not necessarily unique but as I'd usually
not have more than about 4 or so in any one domain - I'm hoping that
statistics will be with me 99.95% of the time. 

Anyway - does anyone have existing code snippets that might assist me?
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Key ID from DNSKEY - how?

2010-10-27 Thread Casey Deccio 
On Wed, Oct 27, 2010 at 10:46 AM, Mark Elkins m...@posix.co.za wrote:
 I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
 do this in PHP as this is inside some existing PHP (Web) scripts but I
 guess calling a C program would not be too inconvenient.


See RFC 4034, Appendix B (http://tools.ietf.org/html/rfc4034#appendix-B )

 I'd like to index records (ie DNSKEY and DS Records) according to their
 Key-ID - and present them grouped by Key-ID. DS keys are usually
 presented with their Key-ID - so are less problematic.

The key tag field in a DS RR is the key tag value computed from the
DNSKEY RR to which it corresponds in the child zone.

        Side issue - the RFC description for a DS Record on the wire
        gives the first 16 bytes as the Key-ID, followed by (8-bit)
        Algorithm, (8-bit) Digest type and (32 bytes - or so) Digest. Is
        all this info encoded into the Base-64 stuff that one can see as
        ascii in a zone? ... or is the base-64 ascii stuff just the
        Digest?


See below for explanation of the following queries:

$ dig +short org ds
21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA

$ dig +noall +answer +multi org dnskey
;; Truncated, retrying in TCP mode.
org.383 IN DNSKEY 257 3 7 (
AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+
Tz6X2fqzDC1bdq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G
1GdbjQgbP1OyYIG7OHTc4hv5T2NlyWr6k6QFz98Q4zwF
IGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsUACxlidpw
B0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4h
L1jIR2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnC
uxkfS4AQ485KH2tpdbWcCopLJZs6tw8q3jWcpTGzdh/v
3xdYfNpQNcPImFlxAun3BtORPA2r8ti6MNoJEHU=
) ; key id = 9795
org.383 IN DNSKEY 256 3 7 (
AwEAAa1gQwarOzgSbmhYj2eRUf/1RcHuAed0zlnAmqJY
ELF6iUGfPNSBfD0QDilro3Dxc307zVONrTK7qnWtaHXH
NDFVbB3+qDs1E+9tUjfKt9OuFQBQuGSlVvnM7O5ASbxs
Ex/8ms3mQFDCt4nTUmcELQGVE/EwLcDjxAUAmYBW9bQN
) ; key id = 61598
org.383 IN DNSKEY 256 3 7 (
AwEAAfyGacR9k8f85+1XqM6qLTLwdAEQDHUJJbScMrqq
XesZN6GFZDqn4zahg2GllxlHbGMuQJsWXSotq2Jp1Khe
/fp1547v0k2jnOaFv/18wLBmUGSQNNTWpBgp8Yzu8BOw
18kHmbXpQeju2mk6bHgiL7HkJfFoV1nsSTh15q92d5IR
) ; key id = 245
org.383 IN DNSKEY 257 3 7 (
AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo
dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm
GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A
bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t
XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m
x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj
CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj
DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU=
) ; key id = 21366

The first value in the DS RR (21366) is the 16-bit key tag value
computed from the org DNSKEY last in the list below. The second value
(7) corresponds to the algorithm of this DNSKEY RR.  The last field is
the hex representation of the SHA-256 digest (designated by value 2
in the digest algorithm field of the DS RR) of DNSKEY RR 21366.

        I'd love to be able to validate both DS and DNSKEY records that
        people give me but I am still floundering around amongst the
        DNSSEC RFC's...

 I understand that key-ID's are not necessarily unique but as I'd usually
 not have more than about 4 or so in any one domain - I'm hoping that
 statistics will be with me 99.95% of the time.


From RFC 4034, section 8:
   The key tag is used to help select DNSKEY resource records
   efficiently, but it does not uniquely identify a single DNSKEY
   resource record.  It is possible for two distinct DNSKEY RRs to have
   the same owner name, the same algorithm type, and the same key tag.
   An implementation that uses only the key tag to select a DNSKEY RR
   might select the wrong public key in some circumstances.  Please see
   Appendix B for further details.

 Anyway - does anyone have existing code snippets that might assist me?

See the code snippet in the RFC for starters.

Casey
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Key ID from DNSKEY - how?

2010-10-27 Thread Alan Clegg 
On 10/27/2010 1:46 PM, Mark Elkins wrote:
 I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
 do this in PHP as this is inside some existing PHP (Web) scripts but I
 guess calling a C program would not be too inconvenient.

[...]

 Anyway - does anyone have existing code snippets that might assist me?

You may want to look at dnssec-dsfromkey

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Key ID from DNSKEY - how?

2010-10-27 Thread Phil Mayers 

On 10/27/2010 06:46 PM, Mark Elkins wrote:

I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
do this in PHP as this is inside some existing PHP (Web) scripts but I
guess calling a C program would not be too inconvenient.


I use some Python code to do this in our debugging/management tools, 
translated straight from the RFC; it might convert pretty easily into 
PHP, although in my experience language number/bit-shift/overflow 
behaviour can be a bit... odd.


def key2keytag(flags, alg1, alg2, keydata):
data = struct.pack('!HBB', flags, alg1, alg2)
data += keydata.decode('base64')
v = 0
for i in range(len(data)):
if i  1:
v += ord(data[i])
else:
v += ord(data[i])  8
v += (v  16)  0x
return v  0x

Called like so:

tag = key2tag(257, 3, 5, 'AwEAA...')

Very handy during testing is:

dig +multi domain.com DNSKEY

...which displays the tag as a comment. HTH
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users