RFC 4034, "Resource Records for the DNS Security Extensions", March 2005

Note: This RFC has been updated by RFC 4470, RFC 6014, RFC 6840, RFC 6944, RFC 9077

Errata ID: 2681
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Guillaume Bailey
Date Reported: 2011-01-05
Held for Document Update by: Brian Haberman

Section B says:

   The key tag is the same for all DNSKEY algorithm types except
   algorithm 1 (please see Appendix B.1 for the definition of the key
   tag for algorithm 1).  The key tag algorithm is the sum of the wire
   format of the DNSKEY RDATA broken into 2 octet groups.  First, the
   RDATA (in wire format) is treated as a series of 2 octet groups.
   These groups are then added together, ignoring any carry bits.

It should say:

   The key tag is the same for all DNSKEY algorithm types except
   algorithm 1 (please see Appendix B.1 for the definition of the key
   tag for algorithm 1).  The key tag algorithm is the sum of the wire
   format of the DNSKEY RDATA broken into 2 octet groups.  First, the
   RDATA (in wire format) is treated as a series of 2 octet groups.
   These groups are then added together with at least 32-bit precision,
   retaining any carry bits. The carry bits are then added to the result,
   and finally, only the lower 16 bits of the result are used as the key 
   tag.

Notes:

This change comes from the example implementation. The accumulator, ac, is required ("assumed") to be 32-bits or larger, and the carry bits are added to the accumulator before returning:

ac += (ac >> 16) & 0xFFFF;

Report New Errata