[dns-operations] [Ext] Re: (struct DNSSEC_DNSKEY_RR *) Exponent lengths

[Viktor Dukhovni]

On Thu, Aug 09, 2018 at 03:56:20PM +0000, Edward Lewis wrote:

> Took a while to get back to this, using the same data set (6 Aug):
> 
> On 8/8/18, 12:18, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
>     
> >The numbers you quote look perturbed by noise from *DSA.
> 
> I decided to pull the exponents too.  It's not just DSA.  Sorted by exponent length and value, leaving in DNSSEC security algorithm and key length.

Running your data through:

    egrep -v DSA- | awk '{print $2,$3,$4,$5}' | sort | uniq -c | sort -nr

gives:

  11 RSA-SHA256 1024 02 FF39
   6 RSA-SHA1-N 2048 02 FFFF
   4 RSA-SHA512 1024 02 FF39
   3 RSA-SHA256 2048 02 FF39
   3 RSA-SHA1 2048 04 40000003
   3 RSA-SHA1 1024 04 40000003
   2 RSA-SHA512 2048 02 FF39
   1 RSA-SHA512 2048 02 FFFF

which is basically (a subset of) what I reported:

     domains |     exp
    ---------+--------------
     6767769 | 0x010001             prime:     F_4
       13011 | 0x0100000001         composite: F_5 = 641 x 6700417
	 439 | 0x03                 prime:     F_0
	  48 | 0xff39               composite: 65337 = 3 x 29 x 751 (typo for 65537)
	  34 | 0x40000003           prime:     1073741827
	  20 | 0xffff               composite: 65535 = F_0 x F_1 x F_2 x F_3

By far the most common "unexpected" exponent is F_5, I don't know
why it is so popular.  No obvious gain in security, and of course
reduced performance.  Adam Langley's advice to use e=3 (F_0) is
clearly not getting much traction.

-- 
	Viktor.

P.S.  The DSA keys don't have the same structure and so we can't
meaningfully extract exponents.  A DSA public key in group (p,g,q)
with g the generator of a sub-group of prime order q, is a public
key P=g^S (mod p) with S in [1,q-1] the secret (private) key.
There's no public exponent to look at in a DSA key.