[dns-operations] a maximum of about 16K possible DNSSEC keytags?
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Dec 1 07:44:52 UTC 2015
Hello,
On 1 Dec 2015, at 8:41, Peter van Dijk wrote:
> Hello,
>
> On 30 Nov 2015, at 15:51, Roy Arends wrote:
>
>> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>>
>>> I am only able to generate about 16K unique keytags for a 2K
>>> RSASHA256 KSK (*), even after generating hundreds of thousands of
>>> keys in a loop.
>>
>> Peter van Dijk generated a large set of DNSKEYs with the same
>> algorithm, flags and exponent and was able to generate a lot more
>> unique keytags. Peter is using PowerDNS ’pdnssec add-zone-key’
>> which uses mbedTLS 2.1.0, while I was using dnssec-keygen and
>> ldns-keygen which both used OpenSSL 0.9.8zg.
>
> I now have ~130k (different!) keys, with 32201 unique key tags. This
> is almost twice as much as Roy had but it looks like it might top off
> around 32k. Numbers at
> https://gist.githubusercontent.com/anonymous/24749cea279ce2af2b9c/raw/b06fbc97791f376b2e5e15d0931e0ad1a7030e35/keytags.csv
> for those who want to do stats.
>
> The csv should also be good to look at bit distributions. When I
> looked yesterday (with around 15k keys) every bit had about a 50%
> chance of being set, which suggested no bias to me, but this is not my
> strong suit.
Sorry - that csv has counts, not actual key tag numbers. The full
unsorted ungrouped list of key tags so far is at
https://gist.githubusercontent.com/anonymous/e30b4c905501a7d6aeea/raw/478a46abf6c0011c9eabd10a1a875684f859bbdf/keytags
(`keytags.csv` is generated from `keytags`, in fact).
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list