2

I am working on building a custom DNSSEC server that will respond to queries based on their subdomain. For example, queries of

abc123.example.com would respond with 0.0.0.0

def456.example.com would respond with 1.1.1.1

I am using ARSoft Tools to generate the responses to the DNS queries. My question relates to, what do I need to do to generate the RRSig Record that needs to go along with the response? Here is how I am generating the record in code:

response.AnswerRecords.Add(new DsRecord(DomainName.Parse("example.com"), RecordClass.Any, 60, 0, DnsSecAlgorithm.RsaSha256, DnsSecDigestType.Sha256, new byte[] {1,2,3}));
                response.AnswerRecords.Add(new DnsKeyRecord(DomainName.Parse("example.com"), RecordClass.Any, 60, DnsKeyFlags.Zone, 3, DnsSecAlgorithm.RsaSha256, new byte[] { 1, 2, 3 }));
                response.AnswerRecords.Add(new RrSigRecord(DomainName.Parse("example.com"), RecordClass.Any, 60,
                    RecordType.A, DnsSecAlgorithm.RsaSha256, 4, 0, DateTime.Now.AddMinutes(1), DateTime.Now, 0, DomainName.Parse("example.com"), new byte[] {1,2,3}));

How and what do I need to gather up to put into the byte array for each of the three records (currently set as byte[] {1,2,3})? The DS record is asking for a digest, the DnsKey is asking for the publicKey, and the rrsig is asking for a signature.

JBStevens6
  • 143
  • 1
  • 1
  • 5
  • 2
    It sounds like your library doesn't have the necessary cryptographic operations built into it. If that is indeed the case, you have quite a lot of reading and hacking ahead of you. RFCs 4033, 4034 and 4035 are probably a good starting point (well, after the documentation for the lib you're using). – Calle Dybedahl Apr 15 '16 at 07:15

0 Answers0