[Opendnssec-develop] DSA key length in DNSKEY records

Rickard Bellgrim rickard.bellgrim at iis.se
Wed Mar 17 12:04:57 UTC 2010

On 17 mar 2010, at 12.45, Olaf Kolkman wrote:

> On Mar 17, 2010, at 12:34 PM, Alexd at nominet.org.uk wrote:
>> My current best guess is that the DSA key length can be derived as (64 + 8*T) octets. However, I still don't think I've found anything which specifically confirms this (i.e. RFC 2536 doesn't actually confirm that the length of P is actually the key length - I think). 
>> Thanks for your help, 
> That is why I take T as the primary measure in Net::DNS::SEC. I can live with better values, let me know if you find something there.

I think you should use T as the measure of key length. You can also get T directly from the RDATA of the DNSKEY.

           Field     Size
           -----     ----
            T         1  octet
            Q        20  octets
            P        64 + T*8  octets
            G        64 + T*8  octets
            Y        64 + T*8  octets

// Rickard

More information about the Opendnssec-develop mailing list