[dns-operations] (struct DNSSEC_DNSKEY_RR *) Exponent lengths
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Aug 8 16:10:25 UTC 2018
> On Aug 8, 2018, at 9:30 AM, Edward Lewis <edward.lewis at icann.org> wrote:
>
> Over the ensuing years, I would run the code but never looked closely at the resulting analysis. In the last week my attention returned to the code. I noticed something interesting in a run looking at DNSKEY sets in gTLD zones:
>
> Exponent Sizes
> 7 unknown-8 (i.e., 7 keys had an exponent length of 8 octets)
> 8 unknown-4
> 27 unknown-2
> 379 small
> 2598 obese
> 486046 none
> 2464864 large
DSA and ECDSA are of course out of scope. Looking at the RSA keys in my dataset,
(restricted to domains where the most recent DNSSEC-validated lookup of the
DNSKEY RRset worked), I see:
domains | exp
---------+--------------
6767769 | 0x010001 prime: F_4
13011 | 0x0100000001 composite: F_5 = 641 x 6700417
439 | 0x03 prime: F_0
48 | 0xff39 composite: 65337 = 3 x 29 x 751 (typo for 65537)
34 | 0x40000003 prime: 1073741827
20 | 0xffff composite: 65535 = F_0 x F_1 x F_2 x F_3
The numbers you quote look perturbed by noise from *DSA.
--
--
Viktor.
More information about the dns-operations
mailing list