0

As per RFC 2845 the TSIG RR key name should be in the Canonical wire format. What does canonical wire format exactly mean? I have gone through the RFC 2523 and it states that "For purposes of DNS security, the canonical form for an RR is the wire format of the RR with domain names (1) fully expanded (no name compression via pointers), (2) all domain name letters set to lower case, (3) owner name wild cards in master file form (no substitution made for *), and (4) the original TTL substituted for the current TTL."

For example if the keyname is abc.def.shared.key, will it be "\003abc\003def\006\003key\000" in the canonical wire format ?

4

1 回答 1

0

Assuming that the missing "shared" is a typo, that is how the name field should look, yes. If you're using a third-party library to convert to wireformat the most important bit is probably to make sure it doesn't do name compression on your TSIG RR when it's added to the outgoing packet. Also don't forget to set the TTL field to the correct (original) value.

于 2015-08-26T07:35:56.403 回答