[dns-operations] a maximum of about 16K possible DNSSEC keytags?

Peter van Dijk peter.van.dijk at powerdns.com
Tue Dec 1 07:41:22 UTC 2015


On 30 Nov 2015, at 15:51, Roy Arends wrote:

> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>> I am only able to generate about 16K unique keytags for a 2K 
>> RSASHA256 KSK (*), even after generating hundreds of thousands of 
>> keys in a loop.
> Peter van Dijk generated a large set of DNSKEYs with the same 
> algorithm, flags and exponent and was able to generate a lot more 
> unique keytags. Peter is using PowerDNS ’pdnssec add-zone-key’ 
> which uses mbedTLS 2.1.0, while I was using dnssec-keygen and 
> ldns-keygen which both used OpenSSL 0.9.8zg.

I now have ~130k (different!) keys, with 32201 unique key tags. This is 
almost twice as much as Roy had but it looks like it might top off 
around 32k. Numbers at 
for those who want to do stats.

The csv should also be good to look at bit distributions. When I looked 
yesterday (with around 15k keys) every bit had about a 50% chance of 
being set, which suggested no bias to me, but this is not my strong 

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list