[Pdns-users] Format of private keys in PowerDNSSEC (gmysql) doesn't correspond to BIND's

Maik Zumstrull maik at zumstrull.net
Thu Feb 24 16:44:01 UTC 2011

On Thu, Feb 24, 2011 at 16:38, Jan-Piet Mens <jp at mens.de> wrote:

> PowerDNSSEC stores private keys in the cryptokey table. The blob
> contained there appears to be "Private-key-format: v1.2", however there
> is a difference between keys stored by PDNS and those created by BIND's
> `dnssec-keygen -C' utility. I discovered this upon attempting to read
> the private key extracted from the back-end database with ldns 1.6.8.

> As noted in the comment, I'm not sure whether this small error is on
> PDNS' part or in ldns, but an example in RFC 5702 suggests BIND's format
> is correct.

As far as I can tell, this private key format has no formal
specification. The only reference appears to be the BIND source code.

The BIND parser expects the first two key-value pairs to be
Private-key-format and Algorithm, in that order. The rest of the
fields may follow in any order. Unknown fields are ignored, some
fields are required. The current version of the format is 1.3, but
BIND accepts 1 point anything, as long as at least the fields required
by min { file's version, 1.3 } are found.

In my opinion, the ldns parser should be adjusted to work the same way.

More information about the Pdns-users mailing list