nanog mailing list archives
Re: fyi-- [dns-operations] early key rollover for dlv.isc.org
From: Joseph S D Yao <jsdy () center osis gov>
Date: Fri, 22 Sep 2006 19:29:31 -0400
On Thu, Sep 21, 2006 at 01:37:40PM -0400, Steven M. Bellovin wrote:
On 21 Sep 2006 17:01:45 +0000, Paul Vixie <vixie () vix com> wrote:Paul, what exponent does the new key use? (I clicked on the public key link, but I can't decode the base64 that easily...)it was made with bind9's "dnssec-keygen" utility, using the -e option, so... -e use large exponent (RSAMD5/RSASHA1 only) ...hopefully it's a good exponent. (every few years someone tries to explain to me what a key exponent is, i think you steve have tried, but it just doesn't stick.)It's pretty simple, if you don't want to understand why it works...
;-) Not having committed the maths to heart, I might be able to explain it a little differently. Paul, I think you know the basic idea of what an exponent is. If you're raising one number to a certain power (say, 127 to the fifth power), then the power (5 in this example) is the exponent. 127^5 or 127**5 are ways in various of the thousands of computer languages in existence for expressing this. Many more languages just use functions. This exponent is used to encrypt or sign, by taking numbers calculated from what you want to encrypt, raising each one to the (exponent)th power, and doing a number of other mathematical operations on them. It matters what exponent you use. A bigger exponent isn't necessarily better - remember, I haven't committed the maths to heart, but I do recall Don Knuth's warning about choosing such numbers arbitrarily. Steve has pointed out that 3 is recommended for DNSSEC, and NIST likes 65537 [2^16 + 1]. I don't have the maths to say why, so I'll leave it at that. ;-) -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Current thread:
- fyi-- [dns-operations] early key rollover for dlv.isc.org Paul Vixie (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Alexander Gall (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Laurence F. Sheldon, Jr. (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Paul Vixie (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Joseph S D Yao (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- <Possible follow-ups>
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Fergie (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Joseph S D Yao (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Gregory Hicks (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 25)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Fergie (Sep 22)