[dns-operations] [Ext] Re: (struct DNSSEC_DNSKEY_RR *) Exponent lengths

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Aug 10 14:26:39 UTC 2018

> On Aug 10, 2018, at 8:59 AM, Edward Lewis <edward.lewis at icann.org> wrote:
> And that is why I'm wondering about the exponents I see.  There's got to be some tool or some turn-key system that is creating these keys.

If, for example, you look at the SOA RRs of the domains with the F_5
exponents you'll find:

  8964 ns.gransy.com
  3261 root-dns.netcup.net
   122 avalon.iks-jena.de
    61 ns.nic.se
    38 ns.interlan.se

So it looks like gransy.com and netcup.net have tools that default to F_5.
The folks at IIS connected to "ns.nic.se" might be reading this list, they
might know how they came to use the second most popular F_5 rather than

Along the same lines, "0xff39" is used at:

    17 dns1.ficora.fi
    10 ns1.plat.fi
     5 namesurfer.inet.fi
     3 namesurfer.kanren.net
     2 ns1.lanwan.fi

So one might ask ficora.fi what software they're using to sign their zones...
They run the CERT for Finland, it is a surprising place for a presumably
typo'd RSA public exponent.  [ They share this distinction with "csosa.gov",
which is the "Court Services and Offender Supervision Agency for the District
of Columbia". ]

The "0xffff" exponents are found at:

   9 asia1.akam.net monitoracao at santander.com.br
   4 infoblox1.private.mdc2.mozilla.com sysadmins at mozilla.org
   3 use5.akam.net hostmaster at frb.gov
   2 ns.grisoft.cz domainadministration at avg.com
   1 a5-65.akam.net hostmaster at frb.gov
   1 dmz-ns.fcc.gov dns-admin at fcc.gov

I don't know whether Akamai are involved in the choice of exponent, or
just happen to provide DNS service for 13 of the 20 domains in question.
It is again surprising to find mozilla.net, mozilla.org and allizom.org
in the oddball camp.


More information about the dns-operations mailing list