[Opendnssec-user] DNSKEY keytag calculation differencens between ods-hsmutil and ods-ksmutil

Rickard Bellgrim rickard at opendnssec.org
Thu Nov 14 08:58:42 UTC 2013


On Thu, Nov 14, 2013 at 9:51 AM, Matthijs Mekking <matthijs at nlnetlabs.nl>wrote:

> Hi Klaus,
>
> On 11/14/2013 08:25 AM, Klaus Darilion wrote:
> > Hi! Using ODS 1.3.15 and nCipher HSMs:
> >
> > The key itself is identical, but the calculated tag differs when
> > calculated by ods-hsmutil: KSKs have an offset of 4 (and reported falsly
> > as ZSK), ZSKs have an offset of 3.
>
> The reason for this is that ods-ksmutil has knowledge over the kasp
> database. Thus, it knows which DNSKEY algorithm and which flags are used
> for keys.
>
> 'ods-hsmutil dnskey' makes a RSA-SHA1 (5) ZSK key given a CKA_ID. The
> algorithm and flags are hard coded in the source.


 https://issues.opendnssec.org/browse/OPENDNSSEC-449
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20131114/3f21a62d/attachment.htm>


More information about the Opendnssec-user mailing list