[dns-operations] a maximum of about 16K possible DNSSEC keytags?
Wessels, Duane
dwessels at verisign.com
Mon Nov 30 16:19:40 UTC 2015
Roy,
I think its because of the revoke bit.
I did something similar once and found that dnssec-keygen won't generate a new
key (for same name, in same dir) if:
- the new key tag conflicts with an existing key tag
- the new key tag conflicts with an existing key tag + revoke bit
- the new key tag + revoke bit conflicts with an existing key tag
DW
> On Nov 30, 2015, at 7:49 AM, Roy Arends <roy at dnss.ec> wrote:
>
> On 30 Nov 2015, at 15:34, Warren Kumari wrote:
>
>> ... and, for the last hour or so I've been generating lots of keys using
>> ISC BIND dnssec-keygen.
>>
>> Currently I'm up to:
>> wkumari at eric:~/tmp/tmp$ wc -l keytags
>> 5209 keytags
>> (and, boy, are my fingers tired...)
>>
>> How did you generate the keys? I've been doing:
>> dnssec-keygen -K keys -a RSASHA256 -b 2048 -f KSK -v \
>> 0 -r /dev/urandom example.com > /dev/null 2>&1
>
> while true; do /usr/local/sbin/dnssec-keygen -a rsasha256 -b 2048 -f KSK .; done
>
> to do an equivalent calculation with random numbers I use:
>
> while true; do jot -r 128 0 65535|awk '{s+=$1} END {print (s + int(s/65536))%65535}'>>test;done
>
> The former gets about 16K unique results, the latter 64K.
>
> Roy
>
>
>>
>> W
>>
>> On Mon, Nov 30, 2015 at 10:24 AM Roy Arends <roy at dnss.ec> wrote:
>>
>>> On 29 Nov 2015, at 23:20, Roy Arends wrote:
>>>
>>>> I am only able to generate about 16K unique keytags for a 2K RSASHA256
>>>> KSK (*), even after generating hundreds of thousands of keys in a
>>>> loop.
>>>>
>>>> I expected the entire 16 bit keytag space used (i.e. 64K keytags), as
>>>> the keytag is simply the sum of the DNSKEY RDATA (as a series of two
>>>> byte values) with the high two bytes of the resulting 32 bit value
>>>> added to the low 2 byte without carry.
>>>>
>>>> Since the RDATA contains 256 bytes of modulus (a result of multiplying
>>>> two randomly generated 128 byte primes), I thought it had a fair
>>>> amount of entropy so that the resulting key tags would be nicely
>>>> distributed.
>>>>
>>>> Apparently not.
>>>>
>>>> Anyone able (willing) to explain the math, please?
>>>
>>> Peter van Dijk generated a large set of DNSKEYs with the same algorithm,
>>> flags and exponent and was able to generate a lot more unique keytags.
>>> Peter is using PowerDNS ’pdnssec add-zone-key’ which uses mbedTLS
>>> 2.1.0, while I was using dnssec-keygen and ldns-keygen which both used
>>> OpenSSL 0.9.8zg.
>>>
>>> It looks like the difference stems from the libraries involved. At least
>>> we can fingerprint the key generators behind the keys used :-)
>>>
>>> Not sure if I can find out more, or if this is important. Will keep
>>> looking though.
>>>
>>> Thanks
>>>
>>> Roy
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs
>>> <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>
>>> mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list