[dns-operations] Surprisingly large cluster of domains sharing the same pair of 512-bit ZSKs and some more RSA key oddities
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Nov 1 00:39:51 UTC 2017
> On Oct 31, 2017, at 8:07 PM, Jeremy L. Gaddis <jeremy at gadd.is> wrote:
>
>> I think that key generation utilities should, in the absence of some sort
>> of "force" option, refuse to unusual keys. At present that means:
>>
>> * exponent is unconditionally 65535 (F_4)
>
> Note that F_4 is actually 65537.
Oops, the fingers are too used to typing 65535 on autopilot. Thanks for
noticing...
The highlights of the RSA key data are (rounded to nearest 1000):
* 9,762,000 total RSA DNSKEY RRs
* 6,289,000 1024-bit RSA DNSKEY RRs
* 2,885,000 2048-bit RSA DNSKEY RRs
* 196,000 1280-bit RSA DNSKEY RRs
* 190,000 1536-bit RSA DNSKEY RRs
* 131,000 512-bit RSA DNSKEY RRs
* 66,000 4096-bit RSA DNSKEY RRs
Plus a few thousand other "oddball" RSA key sizes.
--
Viktor.
More information about the dns-operations
mailing list