[dns-operations] a maximum of about 16K possible DNSSEC keytags?
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Dec 1 07:44:52 UTC 2015
On 1 Dec 2015, at 8:41, Peter van Dijk wrote:
> On 30 Nov 2015, at 15:51, Roy Arends wrote:
>> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>>> I am only able to generate about 16K unique keytags for a 2K
>>> RSASHA256 KSK (*), even after generating hundreds of thousands of
>>> keys in a loop.
>> Peter van Dijk generated a large set of DNSKEYs with the same
>> algorithm, flags and exponent and was able to generate a lot more
>> unique keytags. Peter is using PowerDNS ’pdnssec add-zone-key’
>> which uses mbedTLS 2.1.0, while I was using dnssec-keygen and
>> ldns-keygen which both used OpenSSL 0.9.8zg.
> I now have ~130k (different!) keys, with 32201 unique key tags. This
> is almost twice as much as Roy had but it looks like it might top off
> around 32k. Numbers at
> for those who want to do stats.
> The csv should also be good to look at bit distributions. When I
> looked yesterday (with around 15k keys) every bit had about a 50%
> chance of being set, which suggested no bias to me, but this is not my
> strong suit.
Sorry - that csv has counts, not actual key tag numbers. The full
unsorted ungrouped list of key tags so far is at
(`keytags.csv` is generated from `keytags`, in fact).
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations