[dns-operations] real world keytag collision example
Wessels, Duane
dwessels at verisign.com
Thu Jan 17 17:36:08 UTC 2019
.HYUNDAI has a KSK and a ZSK that have the same keytag (17755). This tripped up one of my tools that (incorrectly) assumed DNSKEYs for a zone would not have keytag collisions.
$ dig +rrcomments hyundai dnskey
; <<>> DiG 9.10.6 <<>> +rrcomments hyundai dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24287
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;hyundai. IN DNSKEY
;; ANSWER SECTION:
hyundai. 86240 IN DNSKEY 256 3 8 AwEAAaMSh2b2Ym2BZF7v8l8qYaBXOFqGJniZnTjlE9cb/+NTly5qsLxX EKR9rCg4Cir/6KpTS7KRmOzOHW2AyiVK0Xfh+B4SfVhdTqMOb8NMWIe9 1pdKpkWqfH+lXeI5WORHXw2dCuWlKlRIPb3PyPjFkWNlAgOgw8k3g8he
cS9si9Qv ; ZSK; alg = RSASHA256 ; key id = 17755
hyundai. 86240 IN DNSKEY 257 3 8 AwEAAa21ujOg7BfBFaoPtf6CsGKD+b0gKCGpYLZiGPLZUSg5BKSRBpP2 zMcIDpMtsovfP5gQcD2ydTZApnPopPrdQY2OmJXGgz64pbSaLJ9CEHMA U4LJ7w3Lx0Bn3CSDL1S4kgnfW7YZTx9XLwXMz4jOrTF93FMXpnFWvFNP cesR2AA6YQo0BVnuoeme4WR+ifiDt1J9UfAcw55hmCLQYQ0Z2nqsFFwW hqBmLIlO0xJoGVd2Rft0PLd6K1G1UOogiQN/ctisckTdWS2ntznEyhlm AdFEqh7BSE57GEWcKTFWviLifgHc7OWCjm8sOYeAIZ22pRFxrHnzIOIX
Bsc98fum4Ok= ; KSK; alg = RSASHA256 ; key id = 17755
hyundai. 86240 IN DNSKEY 257 3 8 AwEAAce4acEuuHROUk0Y1JOn4bUJWpQ3BoEZPe2dj7BWattbjvW+PJWE GVO4JQN/p4u+/3ehVo8+TRen5oG7tcZkOtD25tnX2Ya5MuOuFCeQE3Uj qRqGIzPkcSmvbe0odf21fqt0hY1uLFDtOXQ/CclRVaNCvvolvtmxBwrC i5lc91amrdjUF/s0zzkxGK2ACMI06luG7VHrBu0Gn51dtRH+SZrDL9P+ AHlucbJ9S5jFPHdwzB2P9alWKsRx37FuUHiKhvqkA4fU9zb+kwx+3NvI r8eo2k1ELjW6IHXhf/ypGCZ6VQO1XY79/tLWN3SkJUmYxJiO6d32LJuM
D/ufKEtIbwU= ; KSK; alg = RSASHA256 ; key id = 17774
DW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3039 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190117/17e5c6b9/attachment.bin>
More information about the dns-operations
mailing list