fermat primes and dnssec-keygen bug?
Paul Wouters
paul at cypherpunks.ca
Tue Mar 6 21:58:27 UTC 2012
See part of the dicsussion Miek and I had at the golang group:
http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Priority%20Owner%20Reporter%20Summary&groupby=&sort=&id=3161
The bug seems to be that dnssec-keygen upgraded the fermat prime that
is used per default from F0 to F4, but did not change that "-e" would
get you the next fermat number. The result is that people who upgrade
bind and don't notice this changed behaviour are not changing their
scripts that explicitely use "-e".
I would recommend that dnssec-keygen starts ignoring the "-e" parameter
that everyone has put in their scripts to prevent exponent 3 keys, who
are not getting keys with exponent 4294967296 + 1 (F5)
Alternatively, if this is done on purpose, I guess we should all
migrate the 64 bit machines :)
You can detect these starts, as they start with BQE
Paul
More information about the bind-users
mailing list