<div dir="ltr">Yeah, I'm actually doing:<div>------------</div><div><div>#!/bin/bash</div><div><br></div><div>for i in `seq 1 2000`; do dnssec-keygen -K keys -a RSASHA256 -b 2048 -f KSK -v 0</div><div> -r /dev/urandom <a href="http://example.com">example.com</a> > /dev/null 2>&1; done</div><div><br></div><div>ls keys/*.key | awk -F '+' '{print $3}' >> keytags</div><div><br></div><div>rm keys/*</div><div><br></div><div>echo "There are "</div><div>wc -l keytags</div></div><div><br></div><div>----------</div><div><br></div><div>(I delete the keys after generating 2000 of them, because I didn't really see a need for keeping them around. Perhaps that was a mistake.)</div><div>Anyway, it takes me ~10m to generate 2K keys. Currently I have generated 9209, and 7285 of them are unique.</div><div><br></div><div>W</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 30, 2015 at 10:49 AM Roy Arends <<a href="mailto:roy@dnss.ec">roy@dnss.ec</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 30 Nov 2015, at 15:34, Warren Kumari wrote:<br>
<br>
> ... and, for the last hour or so I've been generating lots of keys<br>
> using<br>
> ISC BIND dnssec-keygen.<br>
><br>
> Currently I'm up to:<br>
> wkumari@eric:~/tmp/tmp$ wc -l keytags<br>
> 5209 keytags<br>
> (and, boy, are my fingers tired...)<br>
><br>
> How did you generate the keys? I've been doing:<br>
> dnssec-keygen -K keys -a RSASHA256 -b 2048 -f KSK -v \<br>
> 0 -r /dev/urandom <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> > /dev/null 2>&1<br>
<br>
while true; do /usr/local/sbin/dnssec-keygen -a rsasha256 -b 2048 -f KSK<br>
.; done<br>
<br>
to do an equivalent calculation with random numbers I use:<br>
<br>
while true; do jot -r 128 0 65535|awk '{s+=$1} END {print (s +<br>
int(s/65536))%65535}'>>test;done<br>
<br>
The former gets about 16K unique results, the latter 64K.<br>
<br>
Roy<br>
<br>
<br>
><br>
> W<br>
><br>
> On Mon, Nov 30, 2015 at 10:24 AM Roy Arends <<a href="mailto:roy@dnss.ec" target="_blank">roy@dnss.ec</a>> wrote:<br>
><br>
>> On 29 Nov 2015, at 23:20, Roy Arends wrote:<br>
>><br>
>>> I am only able to generate about 16K unique keytags for a 2K<br>
>>> RSASHA256<br>
>>> KSK (*), even after generating hundreds of thousands of keys in a<br>
>>> loop.<br>
>>><br>
>>> I expected the entire 16 bit keytag space used (i.e. 64K keytags),<br>
>>> as<br>
>>> the keytag is simply the sum of the DNSKEY RDATA (as a series of two<br>
>>> byte values) with the high two bytes of the resulting 32 bit value<br>
>>> added to the low 2 byte without carry.<br>
>>><br>
>>> Since the RDATA contains 256 bytes of modulus (a result of<br>
>>> multiplying<br>
>>> two randomly generated 128 byte primes), I thought it had a fair<br>
>>> amount of entropy so that the resulting key tags would be nicely<br>
>>> distributed.<br>
>>><br>
>>> Apparently not.<br>
>>><br>
>>> Anyone able (willing) to explain the math, please?<br>
>><br>
>> Peter van Dijk generated a large set of DNSKEYs with the same<br>
>> algorithm,<br>
>> flags and exponent and was able to generate a lot more unique<br>
>> keytags.<br>
>> Peter is using PowerDNS ’pdnssec add-zone-key’ which uses mbedTLS<br>
>> 2.1.0, while I was using dnssec-keygen and ldns-keygen which both<br>
>> used<br>
>> OpenSSL 0.9.8zg.<br>
>><br>
>> It looks like the difference stems from the libraries involved. At<br>
>> least<br>
>> we can fingerprint the key generators behind the keys used :-)<br>
>><br>
>> Not sure if I can find out more, or if this is important. Will keep<br>
>> looking though.<br>
>><br>
>> Thanks<br>
>><br>
>> Roy<br>
>> _______________________________________________<br>
>> dns-operations mailing list<br>
>> <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
>> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
>> dns-jobs<br>
>> <<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs</a>><br>
>> mailing list<br>
>> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
</blockquote></div>