Ethereal-dev: Re: [Ethereal-dev] Computation of key id in DNS Key RRs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 16 Jan 2004 11:22:11 -0800

On Jan 15, 2004, at 4:51 AM, David Fort wrote:


Appendix C: Key Tag Calculation

  The key tag field in the SIG RR is just a means of more efficiently
  selecting the correct KEY RR to use when there is more than one KEY
  RR candidate available, for example, in verifying a signature.  It is
  possible for more than one candidate key to have the same tag, in
  which case each must be tried until one works or all fail.  The
  following reference implementation of how to calculate the Key Tag,
  for all algorithms other than algorithm 1, is in ANSI C.  It is coded
  for clarity, not efficiency.  (See section 4.1.6 for how to determine
  the Key Tag of an algorithm 1 key.)


Section 4.1.6 says

4.1.6 Key Tag Field

   The "key Tag" is a two octet quantity that is used to efficiently
   select between multiple keys which may be applicable and thus check
   that a public key about to be used for the computationally expensive
   effort to check the signature is possibly valid.  For algorithm 1
   (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
   octets of the public key modulus needed to decode the signature
   field.  That is to say, the most significant 16 of the least
   significant 24 bits of the modulus in network (big endian) order. For
   all other algorithms, including private algorithms, it is calculated
   as a simple checksum of the KEY RR as described in Appendix C.
So should "compute_key_id()" use the two octets in question for DNS_ALGO_RSAMD5, rather than for DNS_ALGO_RSASHA1 as it does now?