Calculating DS record from DNSKEY

post-thumb

DS (Delegation Signer) is calculated using the following five fields –



  1. DNSKEY owner name: clean-internet.in. (0x 0e636C65616E2D696E7465726E657402696E00)
  2. Flags:257 (0x0101)
  3. Protocol:3 (0x03)
  4. Algorithm:13 (0x0D)
  5. Public Key corresponding to the KSK: HAbAHtlIrnJ7d8M7r4PpODUebLmP..
Hex of Public Key: 1c06c01ed948ae727b77c33baf83e938351e6cb98f9162bb2198b2e0a43ce9693da5b882ab5c5a025a8f986faecd7a3766b0c9104cda5001a32b8d013c125d3e

Now, combining the mentioned five parameters will lead to following data —

0e636C65616E2D696E7465726E657402696E000101030D1c06c01ed948ae727b77c33baf83e938351e6cb98f9162bb2198b2e0a43ce9693da5b882ab5c5a025a8f986faecd7a3766b0c9104cda5001a32b8d013c125d3e

Now, convert the hex to binary and find out the SHASUM -

echo -n 0e636C65616E2D696E7465726E657402696E000101030D1c06c01ed948ae727b77c33baf83e938351e6cb98f9162bb2198b2e0a43ce9693da5b882ab5c5a025a8f986faecd7a3766b0c9104cda5001a32b8d013c125d3e | xxd -r -p | shasum -a 256
58b6825ce64a0bdffc475f82487f7a5793255986498041ea9b95241c8bf81ca7 -

Which is exact same as DS record of clean-pipe.in. domain -

#dig clean-internet.in. DS +short

58183 13 2 58B6825CE64A0BDFFC475F82487F7A5793255986498041EA9B95241C 8BF81CA7
Further explanation:
Calculating hex of clean-internet.in

A domain name, in "wireformat" is a set of labels, where each label is preceded by a length value and ends with the empty label (value 0x00).

For clean-internet, wire format is : 0e (as length is 14) and then “63 6C 65 61 6E 2D 69 6E 74 65 72 6E 65 74” (the hex representation of c , l , e …); and for "in.", wire format is : 02 (as length is 2) and then “69 6E” (the hex representation of i and n);

followed by empty label : 00

So, combine hex of “clean-internet.in” is — "0x 0e 63 6C 65 61 6E 2D 69 6E 74 65 72 6E 65 74 02 69 6E 00”

OR 0x0e636C65616E2D696E7465726E657402696E00

Calculating Hex of DNSKEY which is in ASCII format.

dig clean-internet.in. @1.10.10.11 DNSKEY +short +multiline
256 3 13 yE2hqr/n8hRaX1lEFmjxMJSiuce0gM5yiYoPsacLNc1yV8HMo8+rbOYu68FSimSwIU5wZYR+kQEK4F/a/5mllQ==
257 3 13 HAbAHtlIrnJ7d8M7r4PpODUebLmPkWK7IZiy4KQ86Wk9pbiCq1xaAlqP mG+uzXo3ZrDJEEzaUAGjK40BPBJdPg==

Calculating Hex of the DNSKEY portion of the KSK —

% echo -n 'HAbAHtlIrnJ7d8M7r4PpODUebLmPkWK7IZiy4KQ86Wk9pbiCq1xaAlqP mG+uzXo3ZrDJEEzaUAGjK40BPBJdPg==' | base64 -D -i - | xxd -ps
1c06c01ed948ae727b77c33baf83e938351e6cb98f9162bb2198b2e0a43c e9693da5b882ab5c5a025a8f986faecd7a3766b0c9104cda5001a32b8d01 3c125d3e

References:
  1. https://www.mail-archive.com/opendnssec-user@lists.opendnssec.org/msg01788.html
  2. https://stackoverflow.com/questions/14930460/how-to-verify-dnskey-by-using-its-corresponding-ds
DNS