dnskey rr

Jul 22, 2011 at 7:48 AM

Hi,

I have a signed zone and am trying to use 'DnsKeyRecord' to add the rr to the answer reply.  Unlike all the other record types, the 'data' portion or 'publickey' is processed it appears and not the same as the data I supplied.

For example.

I do the following where "AwEAAcWJtYk0cL1QsDuKAMpF/4zewot2sU1aDOhavJYVx0wzBptQFR4U 01OOoNE5C0kh+TnkmtOABR9uqDujnZac7QugKLLXcKXgBKZ+Ir8VGNKX BrWMofpQ6QW/m9oc+ZkhX8csH00eTPXCOtJa3YyHo08hzrZUDWTVA4dc 4bHFyEqZ" is the key

                   Dim oEncoder As New System.Text.ASCIIEncoding
                    Dim data As Byte() = oEncoder.GetBytes(record.data)

                    Dim rr As New DnsKeyRecord(hostname1, RecordClass.INet, record.ttl, record.flags, CByte(record.protocol), record.algorithm, data)
                    query.AnswerRecords.Add(rr)

And I verify the byte array is the same as the key supplied, but when I get a response from the dns server, I get

           3600    IN      DNSKEY  256 3 5 QXdFQUFjV0p0WWswY0wxUXNEdUtBTXBGLzR6ZXdvdDJzVTFhRE9oYXZK WVZ4MHd6QnB0UUZSN
FUgMDFPT29ORTVDMGtoK1Rua210T0FCUjl1cUR1 am5aYWM3UXVnS0xMWGNLWGdCS1orSXI4VkdOS1ggQnJXTW9mcFE2UVcv bTlvYytaa2hYOGNzSDAwZVRQWENPdEphM
1l5SG8wOGh6clpVRFdUVkE0 ZGMgNGJIRnlFcVo=

Which isn't what I supplied. 

I looked at your code and I can see the data supplied is converted to base64 string.  Converting the string supplied matches what was returned.

So, maybe I'm missing somthing obvious?  Why the conversion?

Coordinator
Jul 22, 2011 at 7:13 PM

Hi,

according to RFC 4034 section 3.2. "The RRSIG RR Presentation Format" Base64 must be used for the textual representation.
For further processing, you should not use the .ToString method of the records, instead you should use the corresponding properties, in this case the property PublicKey.

Hope this helps
Alex

Jul 22, 2011 at 8:34 PM
Edited Jul 22, 2011 at 8:38 PM

Sorry, not sure I understand.  I guess what I'm saying is, the string I have is already encoded and I want to pass it on with no further processing.  The 'publickey' propery of a dnskey record seems to be read only, so I can't set it directly? Is there a way to pass the 'publickey' without it being encoded again and thus breaking the key?  I guess I can just decode it before sending it on again, but decoding and then re-encoding seems like a waste of cpu when almost all keys would be stored and already in base64 format?

Coordinator
Jul 22, 2011 at 8:59 PM
Edited Jul 22, 2011 at 9:03 PM

Normally there are two types of representation of a key: The binary representation, which means a byte array including non-readable characters. The readable representation is Base64 encoded on all algorithm I know.
Your key has only characters of a-z, A-Z, 0-9, / and +, this indicates, that it is a Base64 representation. Because of that, getting the binary representation using ASCIIEncoding.GetBytes is not correct, instead you should decode this string using Base64 (e.g. using my extension method BaseEncoding.FromBase64String).

The PublicKey property can only be set using the constructor and works only with the binary representation. I've decided to use the binary representation, because the dns protocol works with that format as well as all of the CryptoServiceProviders in the framework.

In consequence of this, you should use this code fragment (C#, my VB is really bad ;-) )

 

using ARSoft.Tools.Net // for extension methods
...
var rr = new DnsKeyRecord(hostname1, RecordClass.INet, record.ttl, record.flags, (byte)record.protocol, record.algorithm, data.Replace(" ", "").FromBase64String())
Jul 22, 2011 at 10:36 PM

Thank you.  I got a working, simple vb solution

                    Dim binaryData() As Byte
                    binaryData = System.Convert.FromBase64String(record.data)
                    Dim rr As New DnsKeyRecord(hostname1, RecordClass.INet, record.ttl, record.flags, CByte(record.protocol), record.algorithm, binaryData)