DNSSEC grab public key from private for DNSKEY #1558
Comments
|
but why can't you just set |
|
For my usecase where I just want to load the private key to get the public key, I would have to invent a valid DNSKEY, use that to load the private key. Then I get a private key containing, possibly, another public key, which I then have to replace (if the public isn't live yet and therefore can't be queried using DNS). You also have a comment in the code that you should validate that the public key matches the private key which would, if implemented, break the above. |
|
TBF I think only the RSA keys had this weird requirement that you need the
pubkey to get the privkey and newer also don't need that.
Anyhow, a fake DNSKEY doesn't break that bank and can prolly be reused as
well.
Happy to remove that TODO and update the docs that that check isn't
performed.
…On Wed, 24 Apr 2024, 10:34 Martin Frausing, ***@***.***> wrote:
For my usecase where I just want to load the private key to get the public
key, I would have to invent a valid DNSKEY, use that to load the private
key. Then I get a private key containing, possibly, another public key,
which I then have to replace (if the public isn't live yet and therefore
can't be queried using DNS). You also have a comment in the code that you
should validate that the public key matches the private key which would, if
implemented break, the above.
It would also offer the possibility of doing this without a DNSSEC struct
and be consistent with how it is done for ED22519.
—
Reply to this email directly, view it on GitHub
<#1558 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACWIW7BX3RA3XTTY2G4AP3Y65VATAVCNFSM6AAAAABGUI6QW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZUGM4TKOJQGI>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
|
I don't think I was able to explain what I wanted to do and to be honest after reading the code further, I also changed my mind about using the DNSKEY to load the PrivateKey. This new code should work as before, IF you are loading a PrivateKey into a DNSKEY with the corresponding PublicKey. I would say in any case the behaviour when mixing different keys should be an error as your comment suggested. Now the PublicKey would be overwritten which make sense to me. |
|
I'm trying to understand the difff, but this doesn't update any
documentation, nor this this add a test to embed this deeper. So nack on
this
…On Fri, 26 Apr 2024, 20:43 Martin Frausing, ***@***.***> wrote:
I don't think I was able to explain what I wanted to do and to be honest
after reading the code further, I also changed about using the DNSKEY to
load the PrivateKey. This new code should work as before, IF you are
loading a PrivateKey into a DNSKEY with the corresponding PublicKey. I
would say in any case the behaviour when mixing different keys should be an
error as your comment suggested. Now the PublicKey would be overwritten
which make sense to me.
#1560 <#1560>
—
Reply to this email directly, view it on GitHub
<#1558 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACWIW6MMXCQFXZUKSUPKQLY7KU4PAVCNFSM6AAAAABGUI6QW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBQGAYTSNZYGU>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
|
Thanks for the quick reply. I will revisit the PR and add tests and/or documentation changes |
|
Ok I have now improved the PR with the following:
|
and others
Hi
First off, thanks for a great library! I noticed that if you take a DNSKEY and call NewPrivateKey or ReadPrivateKey on it given a private key, the public key that is set in the crypto.PrivateKey is taken from the DNSKEY and not extracted from the key itself.
(k is the DNSKEY struct) and the same for ECDSA keys. ED25519 grabs the public key from the private key as I expect it would.
I know you want to keep the library small, but I want to hear if you would be willing to consider a pull requests with this behaviour changed and maybe also allow the methods to be called without a DNSKEY (or with an empty DNSKEY) as I don't see this is needed anymore and would at least make my use case simpler? I can of course create the PR.
My relevant use case btw is to load a private key generated elsewhere and stored in a database and create a corresponding DS record from it.
Thanks
Martin
The text was updated successfully, but these errors were encountered: