[ldns-users] Finding out which signatures belong to which RRs
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jan 2 07:27:57 UTC 2014
On 12/31/2013 03:50 PM, Vladimir Levijev wrote:
> Hi,
>
> Imagine I'm parsing AUTHORITY section of output of "IN A" request. I
> get 2 NSEC3 RRs and 2 signatures for each, something like:
>
> IN NSEC3 <-- let's call it A
> IN RRSIG NSEC3 <-- first rrsig of A
> IN RRSIG NSEC3 <-- second rrsig of A
> IN NSEC3 <-- let's call it B
> IN RRSIG NSEC3 <-- first rrsig of B
> IN RRSIG NSEC3 <-- second rrsig of B
>
> So, how can I verify which NSEC3 the signatures belong to? In other
> words, what do RRs that sign and that are being signed have in common,
> and which ldns function I could use to get it?
Each NSEC3 record has a different owner name. The owner name of the
RRSIG record that belongs to an NSEC3 record matches the NSEC3 owner name.
In general: The RRSIG record is a signature over an RRset. An RRset is a
set of records with the same name, class and type. For example:
ns.example.nl IN A 1.2.3.4
ns.example.nl IN A 1.2.3.5
A signature for this RRset will have the owner name 'ns.example.nl'.
Also, in the RDATA of the RRSIG the type of the RRset it signs is
mentioned. In this case: 'A'. So the signature for this RRset starts with:
ns.example.nl IN RRSIG A ...
Best regards,
Matthijs
Best regards,
Matthijs
>
> Cheers,
>
> VL
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
More information about the ldns-users
mailing list