fermat primes and dnssec-keygen bug?

Paul Wouters paul at cypherpunks.ca
Tue Mar 6 21:58:27 UTC 2012

See part of the dicsussion Miek and I had at the golang group:


The bug seems to be that dnssec-keygen upgraded the fermat prime that
is used per default from F0 to F4, but did not change that "-e" would
get you the next fermat number. The result is that people who upgrade
bind and don't notice this changed behaviour are not changing their
scripts that explicitely use "-e".

I would recommend that dnssec-keygen starts ignoring the "-e" parameter
that everyone has put in their scripts to prevent exponent 3 keys, who
are not getting keys with exponent 4294967296 + 1 (F5)

Alternatively, if this is done on purpose, I guess we should all
migrate the 64 bit machines :)

You can detect these starts, as they start with BQE


More information about the bind-users mailing list