CERT PKIX records RFC compliant?

[wteiken]

The article pointing to the git is a few years old, but I stumbled across it while tinkering with these records...

Two questions in case you remember any context:

Based on my read of RFC 4398 the value of the PKIX record should not be a plain DER cert, but actually have an X.500 prefix of 0x 03 55 04 24 (assuming it's a user cert) based on https://datatracker.ietf.org/doc/html/rfc4398#section-2.1: "The PKIX type is reserved to indicate an X.509 certificate conforming to the profile defined by the IETF PKIX working group [8]. The certificate section will start with a one-octet unsigned OID length and then an X.500 OID indicating the nature of the remainder of the certificate section (see Section 2.3, below). (NOTE: X.509 certificates do not include their X.500 directory-type-designating OID as a prefix.)" Do you read that section differently (your CERT entry has just the DER cert if I read it correctly).

Also, you end up with a key tag of 12848 for your CERT record, do you happen to remember how? My read of the RFC is that it should be the checksum used in DNSSEC over the public key contained in the cert. But based on your public key that would be 15651 based on the reference code I found, unless there is a prefix (e.g., for DNSSEC the flag, the mandatory "3" value and the alt type are prefixed before the raw key data). But based on the RFC I see not indication of prepending anything...

[jschauma]

Hey, thanks for reporting this! I no longer remember how I came up with the original record, but I believe you're correct and have updated the current record together with a longer comment how I constructed it. I'm still not 100% certain that everything's correct there, as the construction strikes me a really convoluted, but hopefully my comments there can help explain what the data is.