<div dir="ltr">Yah, Duane is probably right.<div><br></div><div>I'm generating keys in sets of 2000, and deleting the keys after each set. </div><div>It does seem like the first few get generated quickly, and then it starts to slow down over time, then goes quickly again when I (delete) and restart.</div><div><br></div><div>Generated 25209 keytags, with 13012 unique. Seeing as I've already burnt the CPU time, I'll let it run for a bit more till I've passed the 16K unique tags...</div><div><br></div><div>For those interested (not sure why you would be :-)) the distribution of collisions looks like:</div><div><br></div><div>Count Number of collisions</div><div>------------------------------------</div><div><div> 4 7</div><div> 46 6</div><div> 243 5</div><div> 783 4</div><div> 2088 3</div><div> 4446 2</div><div> 5402 1</div></div><div><br></div><div><br></div><div>So, 7 keytags have had 7 collisions, 6 have had 6, 243 have had 5, etc.</div><div><br></div><div>Perhaps, if I'm bored, I'll rerun this using /dev/random instead of /dev/urandom to see if things look significantly different, but I'm assuming they won't.</div><div><br></div><div>W</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 30, 2015 at 11:54 AM Wessels, Duane <<a href="mailto:dwessels@verisign.com">dwessels@verisign.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Roy,<br>
<br>
I think its because of the revoke bit.<br>
<br>
I did something similar once and found that dnssec-keygen won't generate a new<br>
key (for same name, in same dir) if:<br>
<br>
- the new key tag conflicts with an existing key tag<br>
- the new key tag conflicts with an existing key tag + revoke bit<br>
- the new key tag + revoke bit conflicts with an existing key tag<br>
<br>
DW<br>
<br>
<br>
> On Nov 30, 2015, at 7:49 AM, Roy Arends <<a href="mailto:roy@dnss.ec" target="_blank">roy@dnss.ec</a>> wrote:<br>
><br>
> On 30 Nov 2015, at 15:34, Warren Kumari wrote:<br>
><br>
>> ... and, for the last hour or so I've been generating lots of keys using<br>
>> ISC BIND dnssec-keygen.<br>
>><br>
>> Currently I'm up to:<br>
>> wkumari@eric:~/tmp/tmp$ wc -l keytags<br>
>> 5209 keytags<br>
>> (and, boy, are my fingers tired...)<br>
>><br>
>> How did you generate the keys? I've been doing:<br>
>> dnssec-keygen -K keys -a RSASHA256 -b 2048 -f KSK -v \<br>
>> 0 -r /dev/urandom <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> > /dev/null 2>&1<br>
><br>
> while true; do /usr/local/sbin/dnssec-keygen -a rsasha256 -b 2048 -f KSK .; done<br>
><br>
> to do an equivalent calculation with random numbers I use:<br>
><br>
> while true; do jot -r 128 0 65535|awk '{s+=$1} END {print (s + int(s/65536))%65535}'>>test;done<br>
><br>
> The former gets about 16K unique results, the latter 64K.<br>
><br>
> Roy<br>
><br>
><br>
>><br>
>> W<br>
>><br>
>> On Mon, Nov 30, 2015 at 10:24 AM Roy Arends <<a href="mailto:roy@dnss.ec" target="_blank">roy@dnss.ec</a>> wrote:<br>
>><br>
>>> On 29 Nov 2015, at 23:20, Roy Arends wrote:<br>
>>><br>
>>>> I am only able to generate about 16K unique keytags for a 2K RSASHA256<br>
>>>> KSK (*), even after generating hundreds of thousands of keys in a<br>
>>>> loop.<br>
>>>><br>
>>>> I expected the entire 16 bit keytag space used (i.e. 64K keytags), as<br>
>>>> the keytag is simply the sum of the DNSKEY RDATA (as a series of two<br>
>>>> byte values) with the high two bytes of the resulting 32 bit value<br>
>>>> added to the low 2 byte without carry.<br>
>>>><br>
>>>> Since the RDATA contains 256 bytes of modulus (a result of multiplying<br>
>>>> two randomly generated 128 byte primes), I thought it had a fair<br>
>>>> amount of entropy so that the resulting key tags would be nicely<br>
>>>> distributed.<br>
>>>><br>
>>>> Apparently not.<br>
>>>><br>
>>>> Anyone able (willing) to explain the math, please?<br>
>>><br>
>>> Peter van Dijk generated a large set of DNSKEYs with the same algorithm,<br>
>>> flags and exponent and was able to generate a lot more unique keytags.<br>
>>> Peter is using PowerDNS ’pdnssec add-zone-key’ which uses mbedTLS<br>
>>> 2.1.0, while I was using dnssec-keygen and ldns-keygen which both used<br>
>>> OpenSSL 0.9.8zg.<br>
>>><br>
>>> It looks like the difference stems from the libraries involved. At least<br>
>>> we can fingerprint the key generators behind the keys used :-)<br>
>>><br>
>>> Not sure if I can find out more, or if this is important. Will keep<br>
>>> looking though.<br>
>>><br>
>>> Thanks<br>
>>><br>
>>> Roy<br>
>>> _______________________________________________<br>
>>> dns-operations mailing list<br>
>>> <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
>>> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
>>> dns-jobs<br>
>>> <<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs</a>><br>
>>> mailing list<br>
>>> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
> dns-jobs mailing list<br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></blockquote></div>