[dns-operations] Surprisingly large cluster of domains sharing the same pair of 512-bit ZSKs and some more RSA key oddities

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Oct 30 12:49:22 UTC 2017 

Looking closely at the data gathered by the DANE survey I've
run into more than 54 thousand (!!!) domains that have the same
pair of 512-bit RSA keys for their ZSKs.  A small sample follows
my signature.  The SOA records all point at wedos.cz, who appear
to be some sort of hosting provider.  Perhaps someone native to
.CZ could reach out to them and suggest that 512-bit keys are no
longer a good idea, especially if re-used so liberally!

The only sensible feature of these is that the exponent is the
usual F_4.  Two domains unrelated to the above have 512-bit keys
with a weak exponent of 3:

	trt12.jus.br
	trt12.gov.br

More broadly, the DNSKEY length (including exponent length and exponent)
histogram (distinct RR count) for keys for algorithms 5, 7, 8 and 10 (RSA)
is below, with some highlights annotated.  It seems too many folks
stray into uncharted waters with their DNSKEY parameter choices.  Perhaps
the key management tools should offer them less rope...

RR count | length 
---------+--------
       2 |     66     (512-bit keys with expontent 3)
  130395 |     68     (512-bit keys, mostly the wedos.cz domains)
       7 |     70
      27 |    100     (768-bit keys)
       1 |    117
       1 |    122
       1 |    124
     141 |    130     (1024-bit with exponent 3)
     107 |    131     (1024-bit with exponent 65337 == 3*29*751)
 6282427 |    132     (1024-bit keys)
     647 |    133     (1024-bit keys with exponent 2^30 + 3, prime)
    1983 |    134     (1024-bit keys with exponent 2^32 + 1 == 641 * 6700417)
      99 |    135
       1 |    139
       2 |    146
      99 |    148
       2 |    149
       2 |    160
       7 |    162
  196633 |    164     (1280-bit keys)
     113 |    167
       6 |    168
      97 |    169
      19 |    173
       6 |    179
  190377 |    196     (1536-bit keys)
      37 |    198
       1 |    207
       1 |    216
       1 |    222
       1 |    229
       1 |    232
       1 |    233
       2 |    240
       1 |    241
       1 |    245
       1 |    249
       1 |    252
       1 |    254
       6 |    256
      13 |    257
     488 |    258
      96 |    259
 2881881 |    260    (2048-bit keys)
      21 |    261
    2112 |    262
      24 |    265
       1 |    266
       4 |    268
       1 |    269
      93 |    292
       2 |    294
       3 |    308
       2 |    314
     377 |    324
      60 |    388
       2 |    391
       3 |    410
   56204 |    516    (4096-bit keys)
    9744 |    518
       2 |   1028    (8192-bit keys)

-- 
	Viktor.

zuszacler.cz.           DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zuszacler.cz.           DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusvoborskeho.cz.       DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusvoborskeho.cz.       DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusvb.cz.               DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusvb.cz.               DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zustatek.cz.            DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zustatek.cz.            DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusricany.cz.           DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusricany.cz.           DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusrakovnik.cz.         DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusrakovnik.cz.         DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zuspraha9.cz.           DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zuspraha9.cz.           DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zuspraha7.cz.           DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zuspraha7.cz.           DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusodry.cz.             DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusodry.cz.             DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusmyto.cz.             DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusmyto.cz.             DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusmt.cz.               DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusmt.cz.               DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusmkrumlov.cz.         DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zusmkrumlov.cz.         DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zuslomnice.cz.          DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zuslomnice.cz.          DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zuslitovel.cz.          DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zuslitovel.cz.          DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zuslibcice.cz.          DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zuslibcice.cz.          DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusjevicko.cz.          DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zusjevicko.cz.          DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zushodonin.cz.          DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zushodonin.cz.          DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=
zushlinsko.cz.          DNSKEY  256 3 7 AwEAAcAXIKWA1mNC46kszpVNe2VRTja/bAdCjRW6WsTYjW8bwpu1SoKFYQH1zMOFnQ1OmYh1cbmZiuGx8G2ty5zLFgU=
zushlinsko.cz.          DNSKEY  256 3 7 AwEAAdvMhUWgut59L3JgPVQDH9m+wfdM42Dz2iSWYny6KnrxWjhpSaf5GV7/9aL6EYHKhkjSGehECT1SdhyQhf+5MBU=

More information about the dns-operations mailing list