[Opendnssec-develop] DSA key length in DNSKEY records

Olaf Kolkman olaf at NLnetLabs.nl
Wed Mar 17 10:53:34 UTC 2010

On Mar 17, 2010, at 11:03 AM, Alexd at nominet.org.uk wrote:

> Hi - 
> This is a bit of a stupid question, I'm afraid... 
> I'm adding a quick check that the DNSKEY records generated by ODS are of the correct algorithm and key length. This is OK for RSA keys - we extract the modulus from the RDATA field, and take the length of that (defined in RFC 3110). However, I can't seem to find a definition of key length for DSA keys. Perl's Net::DNS::SEC module seems to return the T value, which can vary from 0 to 8, but this doesn't seem right. 
> I know that the DSA length must depend on the T value, but I can't find a specification for the relationship. 

As author of that Net::DNS::SEC code. I took the T-parameter the only sensible value.
The documentation is terse
    For DSA this method returns the value of the T parameter (See RFC2536)

In RFC2536:

   As described in [FIPS 186] and [
]: T is a key size parameter
   chosen such that 0 <= T <= 8.  (The meaning for algorithm 3 if the T
   octet is greater than 8 is reserved and the remainder of the RDATA
   portion may have a different format in that case.)  Q is a prime
   number selected at key generation time such that 2**159 < Q < 2**160
   so Q is always 20 octets long and, as with all other fields, is
   stored in "big-endian" network order.  P, G, and Y are calculated as
   directed by the FIPS 186 key generation algorithm [
].  P is
   in the range 2**(511+64T) < P < 2**(512+64T) and so is 64 + 8*T
   octets long.  G and Y are quantities modulus P and so can be up to
   the same length as P and are allocated fixed size fields with the
   same number of octets as P.

Does that help?



Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

More information about the Opendnssec-develop mailing list