[dns-operations] Online DNSSEC debugging tool now availalbe

Duane Wessels dwessels at verisign.com
Fri Jul 16 16:20:20 UTC 2010

On Jul 16, 2010, at 6:23 AM, George Barwood wrote:

> I notice that when "More detail" is clicked, it shows verification attempts where the KeyTag does not match, e.g.
> RRSIG=754 and DNSKEY=55799 does not verify the DNSKEY RRset (Verification of RSA string generated error: Signature longer than key)
> This seems to imply the KeyTag is not being checked before attempting to verify the signature.

Hi George,

thanks for bringing this up.  I wasn't sure if thats the right thing to do so
I'll happily take input from anyone.

At some point I was under the impression that the keytags were only "hints" but
RFC 4035 seems clear that they should match.  The Net::DNS library comments and
documentation mention that it doesn't require keytag to match.  something about
collisions and/or "keyid bug in BIND"


More information about the dns-operations mailing list