fermat primes and dnssec-keygen bug?
owens at nysernet.org
Wed Mar 7 15:10:42 UTC 2012
On Wed, Mar 07, 2012 at 02:43:01PM +0000, Chris Thompson wrote:
> You can see the BEAAAA (2^30+3) ones in the DNSKEYs for dlv.isc.org as
> well as in a number of our own zones (which says either that the keys
> are oldish or that the versions of OpenSSL used are not as up to date
> as they probably ought to be).
Incidentally, I surveyed a number of domains for exponent choices a couple of weeks ago, just for fun. These have 2^30+3:
And these have 2^32+1:
Reading Michael Sinatra's account of how he set up berkeley.edu was what led me to look at the zkt tool, which hardcodes the -e flag.
As Miek discovered, the hard way, .us also uses 2^32+1; my list didn't include TLDs so there may be others. I'll do another run over lunch today. . .
More information about the bind-users