"Length"-output in DNSSEC-Policy state-files vs. "Key Length"-output on dnsviz.net
Tom
lists at verreckte-cheib.ch
Wed May 11 08:08:57 UTC 2022
Hi Tony
Many thanks for your explanation!
Tom
On 10.05.22 10:46, Tony Finch wrote:
> Tom <lists at verreckte-cheib.ch> wrote:
>
>> I'm wondering about the value of the "Length"-field in the dnssec-policy
>> state-file output, which results in "Length: 256" for domains, which are
>> signed with algorithm 13 (ECDSAP256SHA256)
>
> That's the size of the cryptographic modulus, i.e. the size of the numbers
> in the guts of the cryptographic algorithm.
>
>> and the "Key length"-output for the domain on "dnsviz.net" (ZSK or KSK),
>> which results in "Key Length: 512".
>
> For P-256 the public key needs two coordinates to identify the point on
> the curve, so it's twice the nominal size of the algorithm.
>
> DNSviz is not being entirely consistent here, because RSA public keys also
> require a few more bits than their nominal size (for the public exponent),
> but DNSviz shows their nominal size rather than the size of the public key
> blob in the DNSKEY record.
>
> (The public exponent is usually 65537, which is why RSA keys typically
> start AwEAA rather than being completely random.)
>
More information about the bind-users
mailing list