1

RFC6605: Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC has this example of a P-256 key:

 Private-key-format: v1.2 Algorithm: 13 (ECDSAP256SHA256) PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ= example.net. 3600 IN DNSKEY 257 3 13 ( GojIhhXUN/u4v54ZQqGSnyhWJwaubCvTmeexv7bR6edb krSqQpF64cYbcB7wNcP+e+MAnLr+Wi9xMWyQLc8NAA== ) example.net. 3600 IN DS 55648 13 2 ( b4c8c1fe2e7477127b27115656ad6256f424625bf5c1 e2770ce6d6e37df61d17 ) www.example.net. 3600 IN A 192.0.2.1 www.example.net. 3600 IN RRSIG A 13 3 3600 ( 20100909100439 20100812100439 55648 example.net. qx6wLYqmh+l9oCKTN6qIc+bw6ya+KJ8oMz0YP107epXA yGmt+3SNruPFKG7tZoLBLlUzGGus7ZwmwWep666VCw== )

Section 6 of that RFC describes this as an example "of ECDSA keys and signatures in DNS format".

RFC4034: Resource Records for the DNS Security Extensions § 2.2 The DNSKEY RR Presentation Format discusses the public keys (eg. the stuff that follows each example.net entry) but not the private key format.

Like how is Private-key-format: v1.1 different from Private-key-format: v1.2?

Improve this question
2
  • 2
    I believe the format comes from BIND. It may not be standardized, at least I haven't found any formal specification. Commented Dec 4, 2024 at 22:02
  • 2
    Format 1.2 was already used by BIND 9.0, format 1.3 (which is still in use) was introduced with BIND 9.7. Everything before that must be ancient, as BIND 8 was released in the late 90s and officially abandoned in 2007. So there are really only two formats with the specification being “whatever the BIND private-key parser does”. Commented Dec 5, 2024 at 7:22

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.