[ldns-users] Finding out which signatures belong to which RRs
Vladimir Levijev
vladimir.levijev at gmail.com
Thu Jan 2 08:46:38 UTC 2014
On 2 January 2014 09:27, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:
> On 12/31/2013 03:50 PM, Vladimir Levijev wrote:
Hi,
>> Imagine I'm parsing AUTHORITY section of output of "IN A" request. I
>> get 2 NSEC3 RRs and 2 signatures for each, something like:
>>
>> IN NSEC3 <-- let's call it A
>> IN RRSIG NSEC3 <-- first rrsig of A
>> IN RRSIG NSEC3 <-- second rrsig of A
>> IN NSEC3 <-- let's call it B
>> IN RRSIG NSEC3 <-- first rrsig of B
>> IN RRSIG NSEC3 <-- second rrsig of B
>>
>> So, how can I verify which NSEC3 the signatures belong to? In other
>> words, what do RRs that sign and that are being signed have in common,
>> and which ldns function I could use to get it?
>
> Each NSEC3 record has a different owner name. The owner name of the
> RRSIG record that belongs to an NSEC3 record matches the NSEC3 owner name.
>
> In general: The RRSIG record is a signature over an RRset. An RRset is a
> set of records with the same name, class and type. For example:
>
> ns.example.nl IN A 1.2.3.4
> ns.example.nl IN A 1.2.3.5
>
> A signature for this RRset will have the owner name 'ns.example.nl'.
> Also, in the RDATA of the RRSIG the type of the RRset it signs is
> mentioned. In this case: 'A'. So the signature for this RRset starts with:
>
> ns.example.nl IN RRSIG A ...
Ah, the owner name, of course. Thank you. :-)
Cheers,
VL
More information about the ldns-users
mailing list