[ldns-users] ldns-key2ds output uses wrong value for alg, and gets sha256 wrong

Jelte Jansen jelte at NLnetLabs.nl
Tue Aug 7 08:23:34 UTC 2007


Paul Wouters wrote:
> On Tue, 7 Aug 2007, Paul Wouters wrote:
> 
> ldns-key2ds outputs:
> 
> dnsx.xelerance.com 3600    IN      DS      10732 RSASHA1 1 dabf2dacf174d2f89b9c3d64e036a7c97b880c13
> 
> While this should be, according to RFC3658 section 2.4 and 2.5 I believe this should be (though
> that could have been written down a lot better):
> 
> dnsx.xelerance.com 3600    IN      DS      10732 5 1 dabf2dacf174d2f89b9c3d64e036a7c97b880c13
> 

Hmm, this is a contradiction in different RFCs;

RFC3568 indeed specifies that it must be a number:


2.5.  Presentation Format of the DS Record

   The presentation format of the DS record consists of three numbers
   (key tag, algorithm, and digest type) followed by the digest itself
   presented in hex:

However, RFC4034, which obsoletes 3568, states that:

5.3.  The DS RR Presentation Format

<snip>

  The Algorithm field MUST be represented either as an unsigned decimal
   integer or as an algorithm mnemonic specified in Appendix A.1.


Now this issue has been raised before, and i am willing to change it,
for the sake of compatibility with software that doesn't adhere to 4034.
I actually do agree that using a number is better.

But i am going to raise this up (again) to be clarified in the update of
rfc4034. The reason i left in in so far (and why i am still hesitant to
change it) is that it does weed out other software that can only handle
the numbers and not the mnemonic...

Jelte

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20070807/3d649787/attachment.bin>


More information about the ldns-users mailing list