[dns-operations] .nz DNSKEY encoding
Chris Thompson
cet1 at cam.ac.uk
Wed Mar 7 15:25:11 UTC 2012
On Jan 20 2012, I wrote:
>A quick analysis of the DNSKEY public exponents in TLDs:
>
> base64 exponent ZSKs KSKs
> AQ[M-P] 3 7 4 com,edu,gov,net
> AwEAA[Q-f] 2^16+1 126 123
> BAABAA[E-H] 2^16+1[*] 1 1 nz
> BQEAAAAB 2^32+1 8 5 cz,gov,la,my,us
>
>[*] with technically illegal zero padding
>
>"gov" is a bit strange in having one ZSK with exponent 3 and another
>with exponent 2^32+1.
>
>The same exponents seem to be used in the higher levels of the reverse
>lookup zones. I was a little surprised not to see BEAAAA[M-P] = 2^30+3
>as generated by BIND's "dnssec-keygen -e" and used in e.g. dlv.isc.org
>and (excuse me) cam.ac.uk.
It turns out that what exponent "dnssec-keygen -e" generates depends
on which version of OpenSSL it is linked with: older versions generate
2^30+3 but newer ones 2^32+1. I am not sure yet just when it changed,
but OpenSSL 1.0.0 certainly generates the latter.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list