[dns-operations] .nz DNSKEY encoding

Chris Thompson cet1 at cam.ac.uk
Wed Mar 7 15:25:11 UTC 2012


On Jan 20 2012, I wrote:

>A quick analysis of the DNSKEY public exponents in TLDs:
>
>  base64       exponent      ZSKs      KSKs   
>  AQ[M-P]             3         7         4     com,edu,gov,net       
>  AwEAA[Q-f]     2^16+1       126       123
>  BAABAA[E-H]    2^16+1[*]      1         1     nz
>  BQEAAAAB       2^32+1         8         5     cz,gov,la,my,us
>
>[*] with technically illegal zero padding
>
>"gov" is a bit strange in having one ZSK with exponent 3 and another
>with exponent 2^32+1.
>
>The same exponents seem to be used in the higher levels of the reverse
>lookup zones. I was a little surprised not to see BEAAAA[M-P] = 2^30+3
>as generated by BIND's "dnssec-keygen -e" and used in e.g. dlv.isc.org
>and (excuse me) cam.ac.uk.

It turns out that what exponent "dnssec-keygen -e" generates depends
on which version of OpenSSL it is linked with: older versions generate
2^30+3 but newer ones 2^32+1. I am not sure yet just when it changed,
but OpenSSL 1.0.0 certainly generates the latter.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list