"Length"-output in DNSSEC-Policy state-files vs. "Key Length"-output on dnsviz.net
Tony Finch
fanf at isc.org
Tue May 10 08:46:19 UTC 2022
Tom <lists at verreckte-cheib.ch> wrote:
> I'm wondering about the value of the "Length"-field in the dnssec-policy
> state-file output, which results in "Length: 256" for domains, which are
> signed with algorithm 13 (ECDSAP256SHA256)
That's the size of the cryptographic modulus, i.e. the size of the numbers
in the guts of the cryptographic algorithm.
> and the "Key length"-output for the domain on "dnsviz.net" (ZSK or KSK),
> which results in "Key Length: 512".
For P-256 the public key needs two coordinates to identify the point on
the curve, so it's twice the nominal size of the algorithm.
DNSviz is not being entirely consistent here, because RSA public keys also
require a few more bits than their nominal size (for the public exponent),
but DNSviz shows their nominal size rather than the size of the public key
blob in the DNSKEY record.
(The public exponent is usually 65537, which is why RSA keys typically
start AwEAA rather than being completely random.)
--
Tony Finch <fanf at isc.org> (he/they) Cambridge, England
Trafalgar: Northerly or northeasterly 3 to 5, but easterly 5 to 7 in
far southeast. Slight or moderate, occasionally rough later in north.
Fair. Good.
More information about the bind-users
mailing list