> Hey everyone,
>
> Sorry to be Johnny-come-lately to this thread, but for anyone [else] who is trying to get DS records for
> dnskeys, the dnskey-grab utility in Vantages can also do that (as of version 0.8.8b) w/ a "-d" flag. For
> example:
Okay, and after a weekend of experimentation, I've got your original
request, using openssl. I think it's important to be able to do this with
standard command line tools, and I think it's critical for adoption for
people to be able to peek under the hood. I might find it fun to make a
web-version of this that jumps through this, step by step, as a learning
and teaching aid.
Anyway,
The thing you're sha'ing is going to be a concatenation of:
1) the wire-format of the owner name + flags , proto and algo in hex + a
binary dump of the rdata of the DNSKEY record.
1a) The wire-format of a name is: each label, preceded with a binary
length identifier, terminated by 0x00 (additional parsing is required for
non-printing characters, not covered here.)
printf "\03isc\03org\00" > /tmp/some.file
2) while I could parse the DNSKEY to extract "257 3 5", I know that it
translates in hex to 0x01, 0x01, 0x03, 0x05 (writing additional parsing
code is left as an exercise for the reader.)
printf "\01\01\03\05" >> /tmp/some.file
3) I used the following snippet of shell to extract the RDATA and
translate it to binary:
dig isc.org DNSKEY | grep 257 | cut -f 6 | sed s/257\ 3\ 5\ //g | sed
s/\ //g | openssl enc -d -base64 -A >> /tmp/some.file
Note that some fields in the output of dig are tab-separated, some are
space separated. I'm using BSD, your "cut" utility may differ. Note also
that for just verifying this in a manual fashion, I could do it with
cut-and-paste of the rdata.
4) We put it all together, and hash the file we created.
%cat /tmp/some.file | openssl sha1 | awk '{print toupper($1)}'
982113D08B4C6A1D9F6AEE1E2237AE
(without the awk bit it's still totally possible to verify visually)
And compare it with:
%dig +short isc.org DS
12892 5 1 982113D08B4C6A1D9F6AEE1E2237AE
12892 5 2 F1E184C0E1D615D20EB3C223ACED3B
E18DA6B5
If you have a recent openssl, you can also do sha256 to verify the other:12892 5 2 F1E184C0E1D615D20EB3C223ACED3B
E18DA6B5
%cat /tmp/some.file | openssl dgst -sha256 | awk '{print toupper($1)}'
F1E184C0E1D615D20EB3C223ACED3B
To actually look at the file, you might want a tool like "hexdump" or
"xxd", which will nicely print out the hex format. (xxd will also show
the printables), but you can clearly see the bits we've put into it.
Hope this helps, it's been great fun to figure out.
-Dan
No comments:
Post a Comment