RFC 4034, "Resource Records for the DNS Security Extensions", March 2005Source of RFC: dnsext (int)
Errata ID: 4552
Reported By: Ben Laurie
Date Reported: 2015-12-04
Verifier Name: Brian Haberman
Date Verified: 2015-12-14
Section Appendix B says:
These groups are then added together, ignoring any carry bits.
It should say:
These groups are then added together with at least 32-bit precision, retaining any carry bits. The carry bits are then added to the result, and finally, only the lower 16 bits of the result are used as the key tag. Note that this means any carries generated during the addition of the carry bits are ignored. This, in turn, means that the keytag calculation is often the same as reduction modulo 65535, but not always.
Errata 2681 already proposes a fix to Appendix B, however the proposed fix is not quite clear. The first part of the corrected text is from 2681.
Its worth pointing this out because a naive analysis says in fact the keytag is exactly the same as reduction modulo 65535, and this has already wasted a fair amount of time.
It is also worth pointing out, perhaps, that this is a poor choice of algorithm for this particular application as it interacts badly with the properties of keys.