Re: [Openhip-users] Bind9 configuration

[Tom H. <to...@to...>]

On 4/7/10 5:14 AM, Alexander Kiening wrote:
> Hi,
>
> I want to configure a bind9 server (9.7.0) to distribute HIP RR records.
> As described in RFC 5205, this is done in th format
>
> IN  HIP   ( pk-algorithm
>              base16-encoded-hit
>              base64-encoded-public-key
>              rendezvous-server )
>
> The algorithm I use is RSA. My question now is how to fill the field of
> the public key? In RSA, the public key consists of the N- and the
> E-field. How are these two combined in the public key field above?

Have you consulted these standards?

    [RFC2536]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
               (DNS)", RFC 2536, March 1999.

    [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
               Name System (DNS)", RFC 3110, May 2001.

I do not believe HIP introduced any new way to encode keys into RRs.

>
> As the E-field is equal on all my configured hosts, I thought, that
> maybe, this field does not need to be explicitly included in the public
> key record, so I tried to only specify the N-field, which generates a
> record that satisfies named-checkzone. I can also query this record with
> nslookup -type=any [dns-name], but OpenHIP refuses the record with the
> message "*** receive_hip_dns_response: HIT did not validate". So, this
> is not the way to make it work.
>
> In your wiki, you mention a hi2dns tool. Unfortunately, I can not locate
> this tool on the internet.

These files are on our older CVS repository-- we need to migrate them to 
our current SVN repository (sorry about that).  In the meantime, they 
are browsable here:
http://openhip.cvs.sourceforge.net/viewvc/openhip/patches/bind/

or fetched from cvs:
cvs -d:pserver:ano...@op...:/cvsroot/openhip login

cvs -z3 
-d:pserver:ano...@op...:/cvsroot/openhip co -P 
openhip/patches

- Tom