DH help

pingman karthik.kumar23 at gmail.com
Tue Nov 21 10:16:58 UTC 2006

Hello group,
I need to set up a DH key exchange with the DNS server.
I would like to know the procedure for doing so.

The TKEY query for a DH process can be client or server initiated. I am
quoting Bind 9 reference manual
"The TKEY process is initiated by a client or server by sending a
signed TKEY query (including any appropriate KEYs) to a TKEY-aware
server. The server response, if it indicates success, will contain a
TKEY record and any appropriate keys. After this exchange, both
participants have enough information to determine the shared secret;
the exact process depends on the TKEY mode. When using the
Diffie-Hellman TKEY mode, Diffie-Hellman keys are exchanged, and the
shared secret is derived by both participants."

My assumption are:
If TKEY query is client initiated then the following (IMHO) happens -
1. the Client needs to generate prime p, Private value and Public
2. The client needs to send prime p, generator g (my g is 2 ), and
Public Pb to Server.
3. Server will use p, g that is received from client and generate its
own Private value, public value.
4. The Server also generates with the Clients Public value and its
Private value, the Session Key
5.Server then sends it Public value to Client.
6.The client will then generate the same session key using the servers
public key and its own Private key.

What I need to know:
If client sends p,g and Public value to server,  how to send a tkey
query with p, g and Public value from client to server.

If Client gets DH parameters(p,g and Server Public value) from server,
then how to request for these parameters. I understand in any case TKEY
quesry exchange has to take place.

Thanks in advance for any help/tips.

More information about the bind-users mailing list