[dns-operations] a maximum of about 16K possible DNSSEC keytags?

Warren Kumari warren at kumari.net
Mon Nov 30 15:34:41 UTC 2015


... and, for the last hour or so I've been generating lots of keys using
ISC BIND dnssec-keygen.

Currently I'm up to:
wkumari at eric:~/tmp/tmp$ wc -l keytags
5209 keytags
(and, boy, are my fingers tired...)

How did you generate the keys? I've been doing:
dnssec-keygen -K keys -a RSASHA256 -b 2048 -f KSK -v \
0 -r /dev/urandom example.com > /dev/null 2>&1

W

On Mon, Nov 30, 2015 at 10:24 AM Roy Arends <roy at dnss.ec> wrote:

> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>
> > I am only able to generate about 16K unique keytags for a 2K RSASHA256
> > KSK (*), even after generating hundreds of thousands of keys in a
> > loop.
> >
> > I expected the entire 16 bit keytag space used (i.e. 64K keytags), as
> > the keytag is simply the sum of the DNSKEY RDATA (as a series of two
> > byte values) with the high two bytes of the resulting 32 bit value
> > added to the low 2 byte without carry.
> >
> > Since the RDATA contains 256 bytes of modulus (a result of multiplying
> > two randomly generated 128 byte primes), I thought it had a fair
> > amount of entropy so that the resulting key tags would be nicely
> > distributed.
> >
> > Apparently not.
> >
> > Anyone able (willing) to explain the math, please?
>
> Peter van Dijk generated a large set of DNSKEYs with the same algorithm,
> flags and exponent and was able to generate a lot more unique keytags.
> Peter is using PowerDNS ’pdnssec add-zone-key’ which uses mbedTLS
> 2.1.0, while I was using dnssec-keygen and ldns-keygen which both used
> OpenSSL 0.9.8zg.
>
> It looks like the difference stems from the libraries involved. At least
> we can fingerprint the key generators behind the keys used :-)
>
> Not sure if I can find out more, or if this is important. Will keep
> looking though.
>
> Thanks
>
> Roy
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs
> <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>
> mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151130/bd941553/attachment.html>


More information about the dns-operations mailing list