[dns-operations] Surprisingly large cluster of domains sharing the same pair of 512-bit ZSKs and some more RSA key oddities

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Nov 1 00:39:51 UTC 2017

> On Oct 31, 2017, at 8:07 PM, Jeremy L. Gaddis <jeremy at gadd.is> wrote:
>> I think that key generation utilities should, in the absence of some sort
>> of "force" option, refuse to unusual keys.  At present that means:
>>    * exponent is unconditionally 65535 (F_4)
> Note that F_4 is actually 65537.

Oops, the fingers are too used to typing 65535 on autopilot.  Thanks for

The highlights of the RSA key data are (rounded to nearest 1000):

   * 9,762,000    total RSA DNSKEY RRs
   * 6,289,000 1024-bit RSA DNSKEY RRs
   * 2,885,000 2048-bit RSA DNSKEY RRs
   *   196,000 1280-bit RSA DNSKEY RRs
   *   190,000 1536-bit RSA DNSKEY RRs
   *   131,000  512-bit RSA DNSKEY RRs
   * 	66,000 4096-bit RSA DNSKEY RRs

Plus a few thousand other "oddball" RSA key sizes.


More information about the dns-operations mailing list