[Opendnssec-user] Key tag miscalculation?

Paul Wouters paul at cypherpunks.ca
Thu Jan 5 14:01:46 UTC 2012 

I have the current bind-based key set:

  dig +multi dnskey hacklab.to 
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> +multi dnskey
hacklab.to
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31983
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hacklab.to.		IN DNSKEY

;; ANSWER SECTION:
hacklab.to.		3600 IN	DNSKEY 256 3 7 (
 				BQEAAAABx40rbmkAmztlEyW1vfV9Rc4FJ9b+q4CAKka2
 				Tpo2Fj/mEvD+5FX6oqgGLD78Tdyo8nSMTjCqOzFRIPFl
 				fcHTg713tvQIV6SINjCK+s1LghW9LB07xXUj7Lsxv+rH
 				Lxdj0Vm6lPbI4XUU2bP/snskSFjqz/8/Eg5wc3S70GTh
 				t6c=
 				) ; key id = 50014
hacklab.to.		3600 IN	DNSKEY 256 3 7 (
 				BQEAAAAB5kSp7mZgqN1Ij4SqfzSxJRZHQHMlcEx7g5GD
 				UBL9CzuUGh+S8lviYVJvcFk0ItVxHPA0heJ9O9ktzRED
 				xGNJBUSQq7mhdHWztO+2Cn3oJFXYsksT8SMHN0y5aSL2
 				uN7K5mf0dsbdXzJkKRx96Swv+tis7oAbgKi+ezwzpTh6
 				DhU=
 				) ; key id = 31840
hacklab.to.		3600 IN	DNSKEY 257 3 7 (
 				AwEAAc9TkaMBxWw1Ib7xLzj5rfjkudp0u1I4InRM5sNq
 				HwfqW2fdt3x48uaiVbE97wITjOJYfLX0urvd4oh2V0xF
 				O+qtfWoZGt5gh0pPY9s15NHSA/JqtqGQpPyYZJo5DS5M
 				5KsU3GHfVoX7kB/wR3F0N2mPfNpzw+l/NZ6HnWYPovH4
 				JioVABUSK891CqZL4lKnWQ2TBWJHXz3rApeUIrdcfYaV
 				8AmWr3b2ISiM1UPXCfJvc9GjImdCPPkaRG/Q5P76A1vO
 				MbJbI44sEuuEpP+i1LGPbE8uCMwHrukqjCbi/J4U0Ery
 				CwVe0HbouHFgE25Jri67bMrJ3XvnNqxUhvxDKGk=
 				) ; key id = 10416

;; Query time: 3 msec
;; SERVER: 193.110.157.123#53(193.110.157.123)
;; WHEN: Wed Dec 21 14:47:02 2011
;; MSG SIZE  rcvd: 604

After importing these into opendnssec:

[root at hacklab.to]# ods-ksmutil key list --verbose
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition:  CKA_ID:                           Repository: Keytag:
hacklab.to                      KSK           active    2011-10-10 00:00:00       A9                                SoftHSM 10414
hacklab.to                      ZSK           retire    2011-12-29 03:45:24       AA                                SoftHSM 31838
hacklab.to                      ZSK           active    2012-01-20 14:45:24       AB                                SoftHSM 50012

Note how the key tags are of-by-two

If it matters, there are RSASHA1 keys.

Paul

More information about the Opendnssec-user mailing list