[dns-operations] calculating DNSSEC keytags in awk

Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Sat Dec 17 12:39:04 UTC 2011


Python anyone? :-)
On Dec 17, 2011 6:10 AM, "Olaf Kolkman" <olaf at nlnetlabs.nl> wrote:

> And then there is the keytag method in Net::DNS see
> http://search.cpan.org/~olaf/Net-DNS-SEC-0.16/RR/DNSKEY.pm
>
> Sent from my iPhone
>
> On Dec 17, 2011, at 12:19 AM, Lutz Donnerhacke <lutz at iks-jena.de> wrote:
>
> > In iks.lists.dns-operations, you wrote:
> >> I realise I'm probably the only person in the world who would ever
> >> want to do such a thing
> >
> > No, you are not that alone.
> >
> >> It seems to generate the right keytags for the zones I have been
> >> playing with.
> >
> > Fine!
> >
> > #! /usr/bin/perl
> >
> > package dnskey2ds;
> >
> > use strict;
> > use warnings;
> >
> > use Digest;
> > use MIME::Base64;
> >
> > BEGIN {
> >  use Exporter     ();
> >  use vars     qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
> >
> >  $VERSION     = 1.00;
> >  @ISA           = qw(Exporter);
> >  @EXPORT      = qw(&generate_ds);
> >  %EXPORT_TAGS = ( );      # eg:    TAG => [ qw!name1 name2! ],
> >
> >  # your exported package globals go here,
> >  # as well as any optionally exported functions
> >  @EXPORT_OK   = qw(&generate_ds);
> >
> > }
> >
> > use vars @EXPORT_OK;
> > my $sha1 = Digest->new("SHA-1");
> >
> > sub generate_ds($$) {
> >  my $fqdn = shift;
> >  my ($flags, $prot, $algo, $key) = split(/\s+/, shift, 4);
> >  my $rdata = join("", map {decode_base64 $_} (split /\s+/, $key));
> >
> >  local $_;
> >  $sha1->reset();
> >
> >  $fqdn =~ s/\.$//;
> >  foreach (split (/\./,$fqdn)) { $sha1->add(pack("c/a*",$_)); }
> >  $sha1->add(pack("c/a*",""));
> >
> >  my $wire = pack("ncc", $flags, 3, $algo) . $rdata;
> >  $sha1->add($wire);
> >
> >  my $keytag;
> >  if($algo == 1) {
> >    $keytag = 0xffff & unpack("n", substr($wire,-3,2)) ;
> >  } else {
> >    my ($sum, $i);
> >    for($sum = $i = 0; $i < length $wire; $i++) {
> >      $_ = unpack("C", substr($wire,$i,1));
> >      $sum += ($i & 1) ? $_ : $_ << 8;
> >    }
> >    $keytag = 0xffff & ($sum + ($sum >> 16));
> >  }
> >
> >  my $comment = "";
> >  if($algo == 3) {
> >    $_ = $rdata;
> >    my $len = 8*(64 + 8*unpack("C", substr($_,0,1)));
> >    $comment = "; Modulus = $len bit";
> >  } elsif($algo == 5 || $algo == 1) {
> >    $_ = $rdata;
> >    my ($len, $exponent);
> >    $len = unpack("C", substr($_,0,1));
> >    $_ = substr($_,1);
> >    unless($len) {
> >      $len = unpack("n", substr($_,0,2));
> >      $_ = substr($_,2);
> >    }
> >    if($len == 1) {
> >      $exponent = unpack("C", substr($_,0,1));
> >    } elsif($len == 2) {
> >      $exponent = unpack("n", substr($_,0,2));
> >    } elsif($len == 3) {
> >      $exponent = unpack("n", substr($_,0,2)) * 256
> >                + unpack("C", substr($_,2,1));
> >    } elsif($len == 4) {
> >      $exponent = unpack("N", substr($_,0,4));
> >    } elsif($len == 5) {
> >      $exponent = unpack("N", substr($_,0,4)) * 256
> >                + unpack("C", substr($_,4,1));
> >    }
> >    $_ = substr($_,$len);
> >    $_ = 8*(length $_);
> >    $comment = "; Modulus = $_ bit";
> >    if($exponent) {
> >      $comment .= ", Exponent = $exponent";
> >    } else {
> >      $comment .= ", Exponent = $len byte";
> >    }
> >  }
> >  return "$keytag $algo 1 ${\$sha1->hexdigest()} $comment";
> > }
> >
> > 1;
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20111217/d4215501/attachment.html>


More information about the dns-operations mailing list