How to verify DNSKEY by using its corresponding DS

Question

A DNSKEY on a name server can be verified by using it DS stored on its parental name server. According to RFC4034: The DS record refers to a DNSKEY RR by including a digest of that DNSKEY RR.

The digest is calculated by concatenating the canonical form of the fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, and then applying the digest algorithm.

 digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);

  "|" denotes concatenation

 DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.

The following example shows a DNSKEY RR and its corresponding DS RR.

   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
                                         fwJr1AYtsmx3TGkJaNXVbfi/
                                         2pHm822aJ5iI9BMzNXxeYCmZ
                                         DRD99WYwYqUSdjMmmAphXdvx
                                         egXd/M5+X7OrzKBaMbCVdFLU
                                         Uh6DhweJBjEVv5f2wwjM9Xzc
                                         nOf+EPbtG9DMBmADjFDc2w/r
                                         ljwvFw==
                                         ) ;  key id = 60485
   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
                                          98631FAD1A292118 )

Can anyone explain to me how should generate DS based on DNSKEY? My specific question is how I should concatenate and generate "DNSKEY RDATA"? Thanks in advance.

Answer 1

According to the information on this page:

Effectively, the digest is calculated over the following fields, concatenated:

DNSKEY owner name: se. (0x 02736500) Flags: 257 (0x0101) Protocol: 3 (0x03) Algorithm: 5 (0x05) Public Key: Aw……

The first four fields, in hex are as follows: 02736500 0101 03 05,

My question was how one can calculate the value for DNSKEY Domain Name (in this case se.). The concept which I didn't know was "wire format". Fortunately Roy Arends from Nominet, UK, explained to me clearly what it is:

A domain name, in "wireformat" is a set of labels, where each label is preceded by a length value and ends with the empty label (value 0x00)

For "se." the wire format is: 02 (length of "se") then 73 65 (hexadecimal representation of the ascii values for "s" and "e", followed by the empty label (value 00): 0x 02 73 65 00

For root (".") the value is just 00 so that would be 0x00

For "dnssec-tools.org": "dnssec-tools" is 12 characters long, so the length value is: 0c then the ascii representation of dnssec-tools in hex: 64 6e 73 73 65 63 2d 74 6f 6f 6c 73 "org" is 3 characters long, so the length value is: 03 then the ascii representation of org in hex: 6f 72 67 followed by the empty label: 00

all in all: "dnssec-tools.org." is 0x0c646e737365632d746f6f6c73036f726700

Thanks agian Roy.