[dns-operations] a maximum of about 16K possible DNSSEC keytags?

Peter van Dijk peter.van.dijk at powerdns.com
Tue Dec 1 07:44:52 UTC 2015


On 1 Dec 2015, at 8:41, Peter van Dijk wrote:

> Hello,
> On 30 Nov 2015, at 15:51, Roy Arends wrote:
>> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>>> I am only able to generate about 16K unique keytags for a 2K 
>>> RSASHA256 KSK (*), even after generating hundreds of thousands of 
>>> keys in a loop.
>> Peter van Dijk generated a large set of DNSKEYs with the same 
>> algorithm, flags and exponent and was able to generate a lot more 
>> unique keytags. Peter is using PowerDNS ’pdnssec add-zone-key’ 
>> which uses mbedTLS 2.1.0, while I was using dnssec-keygen and 
>> ldns-keygen which both used OpenSSL 0.9.8zg.
> I now have ~130k (different!) keys, with 32201 unique key tags. This 
> is almost twice as much as Roy had but it looks like it might top off 
> around 32k. Numbers at 
> https://gist.githubusercontent.com/anonymous/24749cea279ce2af2b9c/raw/b06fbc97791f376b2e5e15d0931e0ad1a7030e35/keytags.csv 
> for those who want to do stats.
> The csv should also be good to look at bit distributions. When I 
> looked yesterday (with around 15k keys) every bit had about a 50% 
> chance of being set, which suggested no bias to me, but this is not my 
> strong suit.

Sorry - that csv has counts, not actual key tag numbers. The full 
unsorted ungrouped list of key tags so far is at 

(`keytags.csv` is generated from `keytags`, in fact).

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list