[Opendnssec-user] DNSKEY keytag calculation differencens between ods-hsmutil and ods-ksmutil
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Nov 14 08:51:59 UTC 2013
Hi Klaus,
On 11/14/2013 08:25 AM, Klaus Darilion wrote:
> Hi! Using ODS 1.3.15 and nCipher HSMs:
>
> The key itself is identical, but the calculated tag differs when
> calculated by ods-hsmutil: KSKs have an offset of 4 (and reported falsly
> as ZSK), ZSKs have an offset of 3.
The reason for this is that ods-ksmutil has knowledge over the kasp
database. Thus, it knows which DNSKEY algorithm and which flags are used
for keys.
'ods-hsmutil dnskey' makes a RSA-SHA1 (5) ZSK key given a CKA_ID. The
algorithm and flags are hard coded in the source.
Best regards,
Matthijs
>
> See output below.
>
> Thanks
> Klaus
>
> # ods-ksmutil key list -v
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone: Keytype: CKA_ID: Keytag:
> renamed KSK f2c291c81ecc6014e2d80f6cd2f4c9e1 47764
>
>
> ods-ksmutil key export --zone renamed
> ;active KSK DNSKEY record:
> renamed. 3600 IN DNSKEY 257 3 8
> AwEAAatfpcBwA9w1fEh7a5d43Nrd8ogcVrUzS+24zPV5fzdBmQOK1YIyY0sMnsSTRTCa/G/HfTOtEYVwxVvxqNIek/zWJKvJP5ZFGYh/RSCFDdHVvXhDUqNP5hqoZitipetZ9JcxjjZ7FSCcboCv1vQcXxSWUhrx0lNyLilKtqA2w9CPpajSwVr1gNAOJkAqLc8noEKSPzJIf068sc5Vr8mocXuC2JUhqSqTqbOX++WH6NgXH4T2u3SSsZZ0y7Ik1iCQPvenMPUJpgWMHKECEePUzH88fVN2hY9k8AoNNz9OHii8TCfQYwe10bEfkud5ISwrQDx/nk/30G06GN3mZpOm53k=
> ;{id = 47764 (ksk), size = 2048b}
>
>
> # ods-hsmutil dnskey f2c291c81ecc6014e2d80f6cd2f4c9e1 renamed
> renamed. 3600 IN DNSKEY 256 3 5
> AwEAAatfpcBwA9w1fEh7a5d43Nrd8ogcVrUzS+24zPV5fzdBmQOK1YIyY0sMnsSTRTCa/G/HfTOtEYVwxVvxqNIek/zWJKvJP5ZFGYh/RSCFDdHVvXhDUqNP5hqoZitipetZ9JcxjjZ7FSCcboCv1vQcXxSWUhrx0lNyLilKtqA2w9CPpajSwVr1gNAOJkAqLc8noEKSPzJIf068sc5Vr8mocXuC2JUhqSqTqbOX++WH6NgXH4T2u3SSsZZ0y7Ik1iCQPvenMPUJpgWMHKECEePUzH88fVN2hY9k8AoNNz9OHii8TCfQYwe10bEfkud5ISwrQDx/nk/30G06GN3mZpOm53k=
> ;{id = 47760 (zsk), size = 2048b}
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list