[dns-operations] a maximum of about 16K possible DNSSEC keytags?
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Dec 1 07:41:22 UTC 2015
Hello,
On 30 Nov 2015, at 15:51, Roy Arends wrote:
> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>
>> I am only able to generate about 16K unique keytags for a 2K
>> RSASHA256 KSK (*), even after generating hundreds of thousands of
>> keys in a loop.
>
> Peter van Dijk generated a large set of DNSKEYs with the same
> algorithm, flags and exponent and was able to generate a lot more
> unique keytags. Peter is using PowerDNS ’pdnssec add-zone-key’
> which uses mbedTLS 2.1.0, while I was using dnssec-keygen and
> ldns-keygen which both used OpenSSL 0.9.8zg.
I now have ~130k (different!) keys, with 32201 unique key tags. This is
almost twice as much as Roy had but it looks like it might top off
around 32k. Numbers at
https://gist.githubusercontent.com/anonymous/24749cea279ce2af2b9c/raw/b06fbc97791f376b2e5e15d0931e0ad1a7030e35/keytags.csv
for those who want to do stats.
The csv should also be good to look at bit distributions. When I looked
yesterday (with around 15k keys) every bit had about a 50% chance of
being set, which suggested no bias to me, but this is not my strong
suit.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list