[dns-operations] .nz DNSKEY encoding

Anton Berezin tobez at tobez.org
Thu Jan 19 18:25:44 UTC 2012

On Thu, Jan 19, 2012 at 05:12:52PM +1300, Sebastian Castro wrote:
> Dear fellow DNS operators:
> Back in December, we sent a notice to the NZNOG (New Zealand Network
> Operators Group) mailing list explaining the particularities of the
> encoded representation of .nz DNSKEY,  where the first 6 characters are
> "BAABAA" instead of "AwEAAb"

> The encoding for the .nz DNSKEY is different. According to RFC3110,
> Section 2
> --------------------------------------------------------------------
>     Leading zero octets are prohibited in the exponent and modulus.
> --------------------------------------------------------------------

Validns (https://github.com/tobez/validns) just got a policy check
to detect and report such keys in a zone:

$ ./validns -pdnskey t/zones/dnskey-exponent.zone
t/zones/dnskey-exponent.zone:18: leading zero octets in public key exponent
t/zones/dnskey-exponent.zone:25: leading zero octets in public key exponent

Our society can survive even a large amount of irrational regulation.
  -- John McCarthy

More information about the dns-operations mailing list