[dns-operations] Online DNSSEC debugging tool now availalbe
Duane Wessels
dwessels at verisign.com
Fri Jul 16 16:20:20 UTC 2010
On Jul 16, 2010, at 6:23 AM, George Barwood wrote:
> I notice that when "More detail" is clicked, it shows verification attempts where the KeyTag does not match, e.g.
>
> RRSIG=754 and DNSKEY=55799 does not verify the DNSKEY RRset (Verification of RSA string generated error: Signature longer than key)
>
> This seems to imply the KeyTag is not being checked before attempting to verify the signature.
Hi George,
thanks for bringing this up. I wasn't sure if thats the right thing to do so
I'll happily take input from anyone.
At some point I was under the impression that the keytags were only "hints" but
RFC 4035 seems clear that they should match. The Net::DNS library comments and
documentation mention that it doesn't require keytag to match. something about
collisions and/or "keyid bug in BIND"
DW
More information about the dns-operations
mailing list