red@cricket:~$ dig +dnssec DNSKEY isc.org. | grep 257 | cut -f1,4- | \
sed -e's/\t/ /g' > Kisc.org.005.12892.key
red@cricket:~$ /usr/local/sbin/dnssec-dsfromkey Kisc.org.005.12892.key
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
red@cricket:~$ dig +short isc.org DS
12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
http://dnssec-deployment.org/pipermail/dnssec-deployment/2010-November/004642.html
On Sat, 13 Nov 2010, Osterweil, Eric wrote:
ReplyDelete> Hey everyone,
>
> Sorry to be Johnny-come-lately to this thread, but for anyone [else] who is trying to get DS records for
> dnskeys, the dnskey-grab utility in Vantages can also do that (as of version 0.8.8b) w/ a "-d" flag. For
> example:
Okay, and after a weekend of experimentation, I've got your original
request, using openssl. I think it's important to be able to do this with
standard command line tools, and I think it's critical for adoption for
people to be able to peek under the hood. I might find it fun to make a
web-version of this that jumps through this, step by step, as a learning
and teaching aid.
Anyway,
The thing you're sha'ing is going to be a concatenation of:
1) the wire-format of the owner name + flags , proto and algo in hex + a
binary dump of the rdata of the DNSKEY record.
1a) The wire-format of a name is: each label, preceded with a binary
length identifier, terminated by 0x00 (additional parsing is required for
non-printing characters, not covered here.)
printf "\03isc\03org\00" > /tmp/some.file
2) while I could parse the DNSKEY to extract "257 3 5", I know that it
translates in hex to 0x01, 0x01, 0x03, 0x05 (writing additional parsing
code is left as an exercise for the reader.)
printf "\01\01\03\05" >> /tmp/some.file
3) I used the following snippet of shell to extract the RDATA and
translate it to binary:
dig isc.org DNSKEY | grep 257 | cut -f 6 | sed s/257\ 3\ 5\ //g | sed
s/\ //g | openssl enc -d -base64 -A >> /tmp/some.file
Note that some fields in the output of dig are tab-separated, some are
space separated. I'm using BSD, your "cut" utility may differ. Note also
that for just verifying this in a manual fashion, I could do it with
cut-and-paste of the rdata.
4) We put it all together, and hash the file we created.
%cat /tmp/some.file | openssl sha1 | awk '{print toupper($1)}'
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
(without the awk bit it's still totally possible to verify visually)
And compare it with:
%dig +short isc.org DS
12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D
E18DA6B5
If you have a recent openssl, you can also do sha256 to verify the other:
%cat /tmp/some.file | openssl dgst -sha256 | awk '{print toupper($1)}'
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586DE18DA6B5
To actually look at the file, you might want a tool like "hexdump" or
"xxd", which will nicely print out the hex format. (xxd will also show
the printables), but you can clearly see the bits we've put into it.
Hope this helps, it's been great fun to figure out.
-Dan