[dns-operations] [Ext] Re: (struct DNSSEC_DNSKEY_RR *) Exponent lengths
Paul Wouters
paul at nohats.ca
Fri Aug 10 20:26:43 UTC 2018
On Fri, 10 Aug 2018, Tony Finch wrote:
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>> Adam Langley's advice to use e=3 (F_0) is clearly not getting much
>> traction.
>
> All the common tools use 65537 by default - BIND dnssec-keygen,
> ldns-keygen, OpenSSL genrsa, OpenSSH ssh-keygen, gpg ... as a hedge
> against another padding screwup like CVE-2006-4339.
Indeed, I remember that being the reason software switched to F4,
because it was hard to figure out if the openssl you were linked
against had this issue or not.
Paul
More information about the dns-operations
mailing list