[Opendnssec-user] DNSKEY keytag calculation differencens between ods-hsmutil and ods-ksmutil

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Nov 14 08:51:59 UTC 2013


Hi Klaus,

On 11/14/2013 08:25 AM, Klaus Darilion wrote:
> Hi! Using ODS 1.3.15 and nCipher HSMs:
> 
> The key itself is identical, but the calculated tag differs when
> calculated by ods-hsmutil: KSKs have an offset of 4 (and reported falsly
> as ZSK), ZSKs have an offset of 3.

The reason for this is that ods-ksmutil has knowledge over the kasp
database. Thus, it knows which DNSKEY algorithm and which flags are used
for keys.

'ods-hsmutil dnskey' makes a RSA-SHA1 (5) ZSK key given a CKA_ID. The
algorithm and flags are hard coded in the source.

Best regards,
  Matthijs

> 
> See output below.
> 
> Thanks
> Klaus
> 
> # ods-ksmutil key list -v
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone:   Keytype:    CKA_ID:                      Keytag:
> renamed KSK  f2c291c81ecc6014e2d80f6cd2f4c9e1    47764
> 
> 
> ods-ksmutil key export --zone renamed
> ;active KSK DNSKEY record:
> renamed.   3600    IN      DNSKEY  257 3 8
> AwEAAatfpcBwA9w1fEh7a5d43Nrd8ogcVrUzS+24zPV5fzdBmQOK1YIyY0sMnsSTRTCa/G/HfTOtEYVwxVvxqNIek/zWJKvJP5ZFGYh/RSCFDdHVvXhDUqNP5hqoZitipetZ9JcxjjZ7FSCcboCv1vQcXxSWUhrx0lNyLilKtqA2w9CPpajSwVr1gNAOJkAqLc8noEKSPzJIf068sc5Vr8mocXuC2JUhqSqTqbOX++WH6NgXH4T2u3SSsZZ0y7Ik1iCQPvenMPUJpgWMHKECEePUzH88fVN2hY9k8AoNNz9OHii8TCfQYwe10bEfkud5ISwrQDx/nk/30G06GN3mZpOm53k=
> ;{id = 47764 (ksk), size = 2048b}
> 
> 
> # ods-hsmutil dnskey f2c291c81ecc6014e2d80f6cd2f4c9e1 renamed
> renamed.   3600    IN      DNSKEY  256 3 5
> AwEAAatfpcBwA9w1fEh7a5d43Nrd8ogcVrUzS+24zPV5fzdBmQOK1YIyY0sMnsSTRTCa/G/HfTOtEYVwxVvxqNIek/zWJKvJP5ZFGYh/RSCFDdHVvXhDUqNP5hqoZitipetZ9JcxjjZ7FSCcboCv1vQcXxSWUhrx0lNyLilKtqA2w9CPpajSwVr1gNAOJkAqLc8noEKSPzJIf068sc5Vr8mocXuC2JUhqSqTqbOX++WH6NgXH4T2u3SSsZZ0y7Ik1iCQPvenMPUJpgWMHKECEePUzH88fVN2hY9k8AoNNz9OHii8TCfQYwe10bEfkud5ISwrQDx/nk/30G06GN3mZpOm53k=
> ;{id = 47760 (zsk), size = 2048b}
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list