[Opendnssec-develop] DSA key length in DNSKEY records
olaf at NLnetLabs.nl
Wed Mar 17 10:53:34 UTC 2010
On Mar 17, 2010, at 11:03 AM, Alexd at nominet.org.uk wrote:
> Hi -
> This is a bit of a stupid question, I'm afraid...
> I'm adding a quick check that the DNSKEY records generated by ODS are of the correct algorithm and key length. This is OK for RSA keys - we extract the modulus from the RDATA field, and take the length of that (defined in RFC 3110). However, I can't seem to find a definition of key length for DSA keys. Perl's Net::DNS::SEC module seems to return the T value, which can vary from 0 to 8, but this doesn't seem right.
> I know that the DSA length must depend on the T value, but I can't find a specification for the relationship.
As author of that Net::DNS::SEC code. I took the T-parameter the only sensible value.
The documentation is terse
For DSA this method returns the value of the T parameter (See RFC2536)
As described in [FIPS 186] and [
]: T is a key size parameter
chosen such that 0 <= T <= 8. (The meaning for algorithm 3 if the T
octet is greater than 8 is reserved and the remainder of the RDATA
portion may have a different format in that case.) Q is a prime
number selected at key generation time such that 2**159 < Q < 2**160
so Q is always 20 octets long and, as with all other fields, is
stored in "big-endian" network order. P, G, and Y are calculated as
directed by the FIPS 186 key generation algorithm [
]. P is
in the range 2**(511+64T) < P < 2**(512+64T) and so is 64 + 8*T
octets long. G and Y are quantities modulus P and so can be up to
the same length as P and are allocated fixed size fields with the
same number of octets as P.
Does that help?
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Opendnssec-develop