[Pdns-users] Format of private keys in PowerDNSSEC (gmysql) doesn't correspond to BIND's

Jan-Piet Mens jp at mens.de
Thu Feb 24 15:38:10 UTC 2011


PowerDNSSEC stores private keys in the cryptokey table. The blob
contained there appears to be "Private-key-format: v1.2", however there
is a difference between keys stored by PDNS and those created by BIND's
`dnssec-keygen -C' utility. I discovered this upon attempting to read
the private key extracted from the back-end database with ldns 1.6.8.

        BIND                                    PDNS MySQL
        Private-key-format: v1.2                Private-key-format: v1.2
        Algorithm: 8 (RSASHA256)                Algorithm: 8 (RSASHA256)
        Modulus:                                Coefficient:
        PublicExponent:                         Exponent1:
        PrivateExponent:                        Exponent2:
        Prime1:                                 Modulus:
        Prime2:                                 Prime1:
        Exponent1:                              Prime2:
        Exponent2:                              PrivateExponent:
        Coefficient:                            PublicExponent:

If I extract the key from the database, and run it through the following
program, the output is indeed parseable by ldns:

        # reformatkey.pl by Jan-Piet Mens, Feb 2011
        # Read a private key as stored by PowerDNSSEC in MySQL, and print
        # it out in "the correct order". This allows e.g. ldns to 
        # read the key with ldns_key_new_frm_fp_l(3).
        # Note, that I'm not sure whether this is errnoneous on the part of
        # PowerDNSSEC, or whether ldns(3) is being "lazy". (An example
        # in RFC 5702 suggests BIND's format is correct.)

        use strict;
        my %keyparts;

        while (<>) {
                my ($k, $v) = split(/: /, $_, 2);

                $keyparts{$k} = $v;


        sub out {
                my ($k) = @_;

                print "$k: ", $keyparts{$k};

As noted in the comment, I'm not sure whether this small error is on
PDNS' part or in ldns, but an example in RFC 5702 suggests BIND's format
is correct.

Best regards,


More information about the Pdns-users mailing list