[dns-operations] a maximum of about 16K possible DNSSEC keytags?

Peter van Dijk peter.van.dijk at powerdns.com
Tue Dec 1 07:41:22 UTC 2015


Hello,

On 30 Nov 2015, at 15:51, Roy Arends wrote:

> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>
>> I am only able to generate about 16K unique keytags for a 2K 
>> RSASHA256 KSK (*), even after generating hundreds of thousands of 
>> keys in a loop.
>
> Peter van Dijk generated a large set of DNSKEYs with the same 
> algorithm, flags and exponent and was able to generate a lot more 
> unique keytags. Peter is using PowerDNS ’pdnssec add-zone-key’ 
> which uses mbedTLS 2.1.0, while I was using dnssec-keygen and 
> ldns-keygen which both used OpenSSL 0.9.8zg.

I now have ~130k (different!) keys, with 32201 unique key tags. This is 
almost twice as much as Roy had but it looks like it might top off 
around 32k. Numbers at 
https://gist.githubusercontent.com/anonymous/24749cea279ce2af2b9c/raw/b06fbc97791f376b2e5e15d0931e0ad1a7030e35/keytags.csv 
for those who want to do stats.

The csv should also be good to look at bit distributions. When I looked 
yesterday (with around 15k keys) every bit had about a 50% chance of 
being set, which suggested no bias to me, but this is not my strong 
suit.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/




More information about the dns-operations mailing list