Skip to content

DNSSEC, check binary integer encoding

There could be a possible problem when decoding and encoding integers in binary. The unsigned integers retrieved from the crypto library are usually prefixed with a zero byte to indiciate, that the number is unsigned (the highest bit must be zero). We have to make sure that after trimming this byte, the crypto library recognizes the integer as the same number.

We need to strip this extra zero byte on some places. We have to be compatible with other implementations. E.g., an extra leading zero byte encoding an integer in the DNSKEY public key field is insignificant, but it's presence implies a different keytag value.

  • RSA, DNSKEY encoding/decoding
  • RSA, RRSIG encoding/decoding
  • DSA, DNSKEY encoding/decoding
  • DSA, RRSIG encoding/decoding
  • ECDSA, DNSKEY encoding/decoding
  • ECDSA, RRSIG encoding/decoding