[dns-operations] calculating DNSSEC keytags in sed (was: RE: calculating DNSSEC keytags in awk)

Richard Lamb richard.lamb at icann.org
Thu Apr 16 18:02:04 UTC 2015 

Not in awk but maybe helpful...

https://www.co.tt/ds4dn.cgi

which uses  BIND dnssec-dsfromkey command.

Or my C code (no guarantees ;-)

#include <stdio.h>
#include <stdint.h>
#include <string.h>

static uint16_t keytag(uint8_t *key,int klen)
{
  uint32_t a;
  int i;
  for(a=0,i=0;i<klen;++i) a += (i&1)?key[i]:(key[i]<< 8);
  a += (a>>16)&0xFFFF;
  return a&0xFFFF;
}
static char
base64[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
;
static int base64decode(char *in,uint8_t *out)
{
  int i,n,len;
  char *c,p[4],*q;

  len = 0;
  n = strlen(in);
  q = in;
  while(n > 0) {
    int k;
    for(i=0;i<4;i++) {
      if((c=strchr(base64,*q)) == NULL) return -1;
      p[i] = c - base64;
      q++;
    }
    k = (p[2] == 64)?1:(p[3] == 64)?2:3;
    if(k != 3) {
      if(p[2] == 64) p[2] = 0;
      if(p[3] == 64) p[3] = 0;
    }
    *out++ = (p[0]<<2)|(p[1]>>4);
    *out++ = (p[1]<<4)|(p[2]>>2);
    *out++ = (p[2]<<6)|(p[3]);
    n -= 4;
    len += k;
  }
  return len;
}
int main(int argc,char *argv[])
{
  uint8_t *q,*q0,buf[512];
  int n,i;
  if(argc < 5) { printf("Usage: %s type proto alg dnskey...\n e.g., output
of \"dig +short -t dnskey domain\"\n",argv[0]);
    return -1; }
  // create a DNSKEY record and compute Key Tag

  q0 = q = buf;
  *(uint16_t *)q = htons(atoi(argv[1]));  q += 2; // type = KSK

  *(uint8_t *)q++ = atoi(argv[2]); // protocol

  *(uint8_t *)q++ = atoi(argv[3]); // algorithm

  for(i=4;i<argc;i++) { n = base64decode(argv[i],q); q += n; }
  printf("keytag:%05u\n",keytag(q0,(int)(q-q0)));
  return 0;
}

-----Original Message-----
From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf
Of Frank
Sent: Thursday, April 16, 2015 9:27 AM
To: Zuleger, Holger, Vodafone DE
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] calculating DNSSEC keytags in sed (was: RE:
calculating DNSSEC keytags in awk)

I do not want to read it. I want to calculate it.
In order to save it in my zone file.

Am Donnerstag, den 16.04.2015, 12:59 +0000 schrieb Zuleger, Holger, Vodafone
DE: 
> > RE: calculating DNSSEC keytags in awk)
> > 
> > > 	$ dig +noall +answer +multi DNSKEY $zone |
> > > 	> sed -n '/KSK/s/^.*= //p'
> > > if you only want to see the key id of the KSK.
> > 
> > If it *has* a KSK; try co.uk. ;-)
> Of course, but if you use dnssec-dsfromkey, you also have to add 
> option -A to get some output.
> 
> Holger
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs


_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4996 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150416/f24a33fd/attachment.bin>

More information about the dns-operations mailing list