Tom <li...@verreckte-cheib.ch> wrote: > I'm wondering about the value of the "Length"-field in the dnssec-policy > state-file output, which results in "Length: 256" for domains, which are > signed with algorithm 13 (ECDSAP256SHA256)
That's the size of the cryptographic modulus, i.e. the size of the numbers in the guts of the cryptographic algorithm. > and the "Key length"-output for the domain on "dnsviz.net" (ZSK or KSK), > which results in "Key Length: 512". For P-256 the public key needs two coordinates to identify the point on the curve, so it's twice the nominal size of the algorithm. DNSviz is not being entirely consistent here, because RSA public keys also require a few more bits than their nominal size (for the public exponent), but DNSviz shows their nominal size rather than the size of the public key blob in the DNSKEY record. (The public exponent is usually 65537, which is why RSA keys typically start AwEAA rather than being completely random.) -- Tony Finch <f...@isc.org> (he/they) Cambridge, England Trafalgar: Northerly or northeasterly 3 to 5, but easterly 5 to 7 in far southeast. Slight or moderate, occasionally rough later in north. Fair. Good. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
