fermat primes and dnssec-keygen bug?

Wed Mar 7 14:43:01 UTC 2012

On Mar 7 2012, Bill Owens wrote:

>On Wed, Mar 07, 2012 at 12:13:35PM +0000, Chris Thompson wrote:
>> This is wrong (although I have seen the same thing stated in a number
>> of other places). When the default public exponent was changed from
>> 3 to 2^16+1 (change 2088) the one selected by -e was changed from
>> 2^16+1 to 2^30+3 ... *not* 2^32+1. And so it remains today.
>
>...
>
>> And you will find that the ones generated by "dnssec-keygen -e" start
>> BEAAAA...
>
>Umm, no:
>
>[littledebian:~/dns] owens% dnssec-keygen -e example.com
>Generating key pair....................................++++++ .............++++++ 
>Kexample.com.+005+43304
>[littledebian:~/dns] owens% cat Kexample.com.+005+43304.key
>; This is a zone-signing key, keyid 43304, for example.com.
>; Created: 20120307140855 (Wed Mar  7 09:08:55 2012)
>; Publish: 20120307140855 (Wed Mar  7 09:08:55 2012)
>; Activate: 20120307140855 (Wed Mar  7 09:08:55 2012)
>example.com. IN DNSKEY 256 3 5 BQEAAAABw3A8Wji6BjyanbOXUtIH1UcroHZKh06qRKXASbxHAQHJogaw 6m2wYX77KvtzVSto/nbHXM/53Vbu/Ar8CAXC/+r/R5BOHw73qA12LqXr 7utMeLmBPjq4RUqluurlVTHt5/FD85tr0yr8mu7h39gVmMY0bnRpgx6p aj2zjpv3O3U=
>
>The code definitely uses 2^32+1:
>
>[littledebian:bind-9.9.0/lib/dns] owens% grep -A 3 -B 5 F5 opensslrsa_link.c
>	if (exp == 0) {
>		/* RSA_F4 0x10001 */
>		BN_set_bit(e, 0);
>		BN_set_bit(e, 16);
>	} else {
>		/* F5 0x100000001 */
>		BN_set_bit(e, 0);
>		BN_set_bit(e, 32);
>	}

Oh, damn. I have to retract. Or indeed, grovel. It all depends on which
version of OpenSSL it is linked with, not on the code in dnssec-keygen
itself. Older versions do indeed generate 2^30+3, but newer ones 2^32+1.

You can see the BEAAAA (2^30+3) ones in the DNSKEYs for dlv.isc.org as
well as in a number of our own zones (which says either that the keys
are oldish or that the versions of OpenSSL used are not as up to date
as they probably ought to be).

-- 
Chris Thompson
Email: cet1 at cam.ac.uk