[dns-operations] (struct DNSSEC_DNSKEY_RR *) Exponent lengths

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 8 16:10:25 UTC 2018



> On Aug 8, 2018, at 9:30 AM, Edward Lewis <edward.lewis at icann.org> wrote:
> 
>   Over the ensuing years, I would run the code but never looked closely at the resulting analysis.  In the last week my attention returned to the code.  I noticed something interesting in a run looking at DNSKEY sets in gTLD zones:
> 
>    Exponent Sizes
>          7 unknown-8 (i.e., 7 keys had an exponent length of 8 octets)
>          8 unknown-4
>         27 unknown-2
>        379 small
>       2598 obese
>     486046 none
>    2464864 large

DSA and ECDSA are of course out of scope.  Looking at the RSA keys in my dataset,
(restricted to domains where the most recent DNSSEC-validated lookup of the
DNSKEY RRset worked), I see:

 domains |     exp      
---------+--------------
 6767769 | 0x010001		prime:     F_4
   13011 | 0x0100000001		composite: F_5 = 641 x 6700417
     439 | 0x03			prime:     F_0
      48 | 0xff39		composite: 65337 = 3 x 29 x 751 (typo for 65537)
      34 | 0x40000003		prime:     1073741827
      20 | 0xffff		composite: 65535 = F_0 x F_1 x F_2 x F_3

The numbers you quote look perturbed by noise from *DSA.

-- 
-- 
	Viktor.




More information about the dns-operations mailing list