[Opendnssec-user]DS Calculation

Roy Arends roy at nominet.org.uk
Mon Aug 13 09:00:39 UTC 2012 

On Aug 13, 2012, at 8:00 AM, wfXLtg== wrote:

> Hi all,
> Is there someone knows how to calculate DS RR? I find the formula in rfc 4034, but get puzzled:
>  
> "
> The digest is calculated by concatenating the canonical form of the
>    fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
>    and then applying the digest algorithm.
> 
>      digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
> 
>       "|" denotes concatenation
> 
>      DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
> 
> "
> If there is a DNSKEY RR as follows:
> se.                     3600    IN      DNSKEY  257 3 5 AwEAAZYYG1hpk8XKHNHpdO/E
> Eg+r4YmIEC4Fn3x2DEsygxDuoT9d/QCi X1pz0omFGCaVfCWHvaScVvWd4xP4kNDnSDQxBzPwLEXE3l0
> cLseMJ2YM QeBPf3hGhLs6VSDnGFKAzNG4fhri9EBTLv9ubL8Kx8cWQKuu3A5HRVD3 li7lZB+0kmUKq
> GiIQdERKt/Ec36BkK93lyGags5RrR2VDdrXCj9Yay90 KCKITk52AbwVoMPm0OYlPbD4ViBPMk5nmh/d
> PeCoZoVJxgANZ/doVQxR 5vDkMBYxuhrXuQk3CvZBB011NsXxk9yHtHvp/5gjUVJjvhdRvjRB6/xY R0
> 3c9owi/aM=
>  
> How to calculate ds using the formula above?
> Is "1(se.|257|3|5|AwEAAZYYG1hpk8XK...)" right for sha-1 ? But I know it's wrong.
> I have tried many other forms but haven't get the right result yet, is there anyone
> knows how to do it?

Yup, here goes:

DNSSEC using shell commands ;-)

Effectively, the digest is calculated over the following fields, concatenated:

DNSKEY owner name: se. (0x 02736500)
Flags: 257  (0x0101)
Protocol: 3  (0x03)
Algorithm: 5  (0x05)
Public Key: Aw……

The first four fields, in hex are as follows:

02736500 0101 03 05,

dump that into a file:

echo -n "0273650001010305" > first_part

Convert the dnskey blurb to hex using base64 and xxd (unix tools):

echo -n 'AwEAAZYYG1hpk8XKHNHpdO/EEg+r4YmIEC4Fn3x2DEsygxDuoT9d/QCi X1pz0omFGCaVfCWHvaScVvWd4xP4kNDnSDQxBzPwLEXE3l0cLseMJ2YM QeBPf3hGhLs6VSDnGFKAzNG4fhri9EBTLv9ubL8Kx8cWQKuu3A5HRVD3 li7lZB+0kmUKqGiIQdERKt/Ec36BkK93lyGags5RrR2VDdrXCj9Yay90 KCKITk52AbwVoMPm0OYlPbD4ViBPMk5nmh/dPeCoZoVJxgANZ/doVQxR 5vDkMBYxuhrXuQk3CvZBB011NsXxk9yHtHvp/5gjUVJjvhdRvjRB6/xY R03c9owi/aM=' |base64 -D -i- |xxd -ps > second_part

Now convert the hexdumps to binary, pipe it through shasum, and we're done:

cat first_part second_part|xxd -r -p|shasum -a 256

Which results in:

44388b3de9a22cafa8a12883f60a0f984472d0dfef0f63ed59a29be018658b28  -

which is the same as: 

dig +short se ds|awk '{print $4 $5}'
44388B3DE9A22CAFA8A12883F60A0F984472D0DFEF0F63ED59A29BE018658B28

Hope this helps

Roy Arends
Nominet UK






>  
> Best regards,
> Stuart
>  
>  
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list