[dns-operations] a maximum of about 16K possible DNSSEC keytags?

Peter Koch pk at denic.de
Mon Nov 30 21:46:41 UTC 2015


On Mon, Nov 30, 2015 at 05:27:44PM +0000, Warren Kumari wrote:
> Yah, Duane is probably right.

For a 1024 bit ZSK with algorithm 8, the first keytags are, with
both ldns-keygen and dnssec-keygen, 

00005 00008 00014 00017 00020 00023 00029 00030 00032 00033 00036
00039 00045 00048 00054 00060 00063 00066 00069 00075 00078 00081

After around 200k keys generated, I end up with 16386(!) and 16379 different
keytags, even if the zone/key names are changed for every single key pair.
The missing seven are 13350 17376 25629 28194 37239 41025 60411.

Indeed. There's key_collision() in bin/dnssec/dnssectool.c (BIND),
but that is supposed to distinguish between key owner names.
Source code can be a mystery ...

-Peter



More information about the dns-operations mailing list