fermat primes and dnssec-keygen bug?

Paul Wouters paul at cypherpunks.ca
Tue Mar 6 21:58:27 UTC 2012


See part of the dicsussion Miek and I had at the golang group:

http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Priority%20Owner%20Reporter%20Summary&groupby=&sort=&id=3161

The bug seems to be that dnssec-keygen upgraded the fermat prime that
is used per default from F0 to F4, but did not change that "-e" would
get you the next fermat number. The result is that people who upgrade
bind and don't notice this changed behaviour are not changing their
scripts that explicitely use "-e".

I would recommend that dnssec-keygen starts ignoring the "-e" parameter
that everyone has put in their scripts to prevent exponent 3 keys, who
are not getting keys with exponent 4294967296 + 1 (F5)

Alternatively, if this is done on purpose, I guess we should all
migrate the 64 bit machines :)

You can detect these starts, as they start with BQE

Paul



More information about the bind-users mailing list