Hi Tony
Many thanks for your explanation!
Tom
On 10.05.22 10:46, Tony Finch wrote:
Tom <li...@verreckte-cheib.ch> wrote:
I'm wondering about the value of the "Length"-field in the dnssec-policy
state-file output, which results in "Length: 256" for domains, which are
signed with algorithm 13 (ECDSAP256SHA256)
That's the size of the cryptographic modulus, i.e. the size of the numbers
in the guts of the cryptographic algorithm.
and the "Key length"-output for the domain on "dnsviz.net" (ZSK or KSK),
which results in "Key Length: 512".
For P-256 the public key needs two coordinates to identify the point on
the curve, so it's twice the nominal size of the algorithm.
DNSviz is not being entirely consistent here, because RSA public keys also
require a few more bits than their nominal size (for the public exponent),
but DNSviz shows their nominal size rather than the size of the public key
blob in the DNSKEY record.
(The public exponent is usually 65537, which is why RSA keys typically
start AwEAA rather than being completely random.)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
