[dns-operations] .nz DNSKEY encoding

Chris Thompson cet1 at cam.ac.uk
Fri Jan 20 19:40:39 UTC 2012

A quick analysis of the DNSKEY public exponents in TLDs:

  base64       exponent      ZSKs      KSKs   
  AQ[M-P]             3         7         4     com,edu,gov,net       
  AwEAA[Q-f]     2^16+1       126       123
  BAABAA[E-H]    2^16+1[*]      1         1     nz
  BQEAAAAB       2^32+1         8         5     cz,gov,la,my,us

[*] with technically illegal zero padding

"gov" is a bit strange in having one ZSK with exponent 3 and another
with exponent 2^32+1.

The same exponents seem to be used in the higher levels of the reverse
lookup zones. I was a little surprised not to see BEAAAA[M-P] = 2^30+3
as generated by BIND's "dnssec-keygen -e" and used in e.g. dlv.isc.org
and (excuse me) cam.ac.uk.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list