Bug 670 - ldns not parsing KSK correctly
ldns not parsing KSK correctly
Status: ASSIGNED
Product: ldns
Classification: Unclassified
Component: library
1.6.x
x86_64 FreeBSD
: P5 normal
Assigned To: LDNS dev team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-29 00:06 CEST by Eric W. Bates
Modified: 2016-10-18 23:18 CEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eric W. Bates 2015-04-29 00:06:50 CEST
My testing is all in perl.

$key = DNS::LDNS::Key->new(filename => '/path/to/.private';

$flags = $key->flags;
$keyid = $key->keytag;

$flags always contains 256 regardless of whether the key is KSK or ZSK.
I believe I'm correct to expect that KSKs ought to return 257?

For KSK keys, $keyid contains the actual keyid-1.

To reproduce:
-Create two pairs of keys. One KSK, the other ZSK:
 dnssec-keygen example.com
 dnssec-keygen -fk example.com

-Execute the following script in the same dir with the keys:
#!/usr/local/bin/perl5

use DNS::LDNS ':all';

foreach (glob('Kexample.com.*.private')) {
    my $key = DNS::LDNS::Key->new(filename => $_);
    print STDERR ("Flags for $_: ", $key->flags, "\n");
    print STDERR ("keyid for $_: ", $key->keytag, "\n");
}

-An example run (in this test, keyid 25939 is the KSK):
# ./test_ldns_key
Flags for Kexample.com.+005+25939.private: 256
keyid for Kexample.com.+005+25939.private: 25938
Flags for Kexample.com.+005+37500.private: 256
keyid for Kexample.com.+005+37500.private: 37500

My environment:
FreeBSD 10.1-RELEASE-p5
perl5.20-5.20.2_3
ldns-1.6.17_4
p5-DNS-ldns-1.6.17_4
Comment 1 Eric W. Bates 2015-04-29 04:11:27 CEST
I don't think you CAN parse "flags" from the private half of the key. 

In any event ldns_key_new_frm_fd_l() creates a new key (line 304, keys.c) with ldns_key_new(). The default initialization set "flags" to LDNS_KEY_ZONE_KEY, but as the key is parsed, "flags" is uncontested.

I would suggest that if no effort is being made to attempt to open the public half of the key and parse whether we have a KSK or a ZSK that "flags" should be NULL or some such non-value.
Comment 2 Willem Toorop 2016-10-18 23:18:57 CEST
(In reply to Eric W. Bates from comment #1)
> I don't think you CAN parse "flags" from the private half of the key. 
> 
> In any event ldns_key_new_frm_fd_l() creates a new key (line 304, keys.c)
> with ldns_key_new(). The default initialization set "flags" to
> LDNS_KEY_ZONE_KEY, but as the key is parsed, "flags" is uncontested.
> 
> I would suggest that if no effort is being made to attempt to open the
> public half of the key and parse whether we have a KSK or a ZSK that "flags"
> should be NULL or some such non-value.

Thank you for reporting Eric,

As you have seen, we only have a function to read the key from a FILE*.  We do not know the filename of the (.private) key file and thus cannot also read in the public (.key) key file.
I also don't want to break binary API.  I'd rather not suddenly return different default flags, because people might depend on it.

However it should not be too hard to do it from the Perl Key.pm module...
Perhaps we should do a pull request for it on:
https://github.com/erikoest/DNS-LDNS

What do you think?