Dear Fujiwara san, On Tue, Feb 10, 2026 at 04:28:22PM +0900, Kazunori Fujiwara wrote: > Dear dnsop WG, > > Authors submitted draft-fujiwara-dnsop-dns-upper-limit-values-05. > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-dns-upper-limit-values/
Would you also consider adding a limit on the size of the RSA public
exponent "e" in the DNSSEC validation path? There is no low limit on the
public exponent in PKCS #1 (it can be up to modulus - 1). While the RSA
modulus itself is limited by DNS RFCs 3110 and 5702 to a max of 4096
bits, there is no limit on the public exponent (it can be up to modulus
- 1).
Having a small RSA public exponent is important for efficient RSA
signature validation, otherwise validation performance can be
significantly degraded. RFC 3110 recommends that it be small, but this
doesn't prevent an attacker from using a high value.
FIPS 186-5 and NIST 800-56B specify 2^16 < e < 2^256, but there are
several TLDs still using e=3, so the lower limit cannot be 65537. There
should be a high limit.
Crypto libraries may limit the RSA public exponent. For example, current
OpenSSL master HEAD limits it as below in the signature verify path:
/* for large moduli, enforce exponent limit */
if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE);
return -1;
}
}
where OPENSSL_RSA_SMALL_MODULUS_BITS is 3072, and
OPENSSL_RSA_MAX_PUBEXP_BITS is 64. However if the modulus size is 3072
bits, the public exponent is unchecked and can be up to 3072 bits. Some
crypto libraries may not limit "e" at all. This may not be an issue in
some other applications, but performance of DNSSEC validation at
resolvers can be severely affected if it is used unchecked.
So, it would be sensible to limit the RSA public exponent size at the
application layer (DNSSEC validator).
BIND has limited it since at least 2012. Loop derived from BIND and also
has had the limit (though the limits were changed in Loop last year as
part of OpenSSL 3 rewrite of the crypto code). I am not familiar with
other implementations.
A sample RSA keypair with a 3072-bit RSA public exponent is attached.
It causes validation performance to drop by orders of magnitude if "e"
is not checked in the DNSSEC validator linked against OpenSSL.
Sample times for verifying 4096 RRsets:
+---------------------------------+---------------+----------+
| CPU (single core/thread) | log_2(e)=3072 | e=65537 |
+---------------------------------+---------------+----------+
| Intel(R) Core(TM) Ultra 9 275HX | 31.275s | 0.356s |
+---------------------------------+---------------+----------+
| ARM Cortex-A76 (Raspberry Pi 5) | 311.289s | 2.498s |
+---------------------------------+---------------+----------+
Mukund
Private-key-format: v1.3 Algorithm: 8 (RSASHA256) Modulus: jUqtRNX73eymNyMdGOROMs0hDpHj4xy27mTfSDvqhRiMsiCXb/mReynomagFX6e9XQUqlXFw+SREoRDUAVuEXzeYwe0npxZ5et7IYh8vDEHZFoR5/1Yn4ObP7wwsPK8lYQIQKWdu6abXoZeeujC0I4p1/ewlNokqEK8kVx2GYM9c+/ooL3FgsavWBIIAjLXqT2I3spBvIf02HiFcMXloFqBMdib24XP5d0YbLAmPrUMvYoiuNjIhua/4x2CDUQJUANlPv38hyimlw0GDHPf+BOCqrRPOjZCljiuUkm24d1+iE6sX9AB3SCLO+TG9r0uhVkYzB8LiNHIekZobp7jQ6aJRdfiE8lxEfXmZ15Ol1+mlz4DdUWZK6fI2vqARs/yIa4/pJIKKonJaiIqinWCw+mDfVuDkEY/9cWPUA5xlDooVXDbHKDJxmre4QZ6yYEnouso01EvoT8FcgiZpfXvcBY6YldzYMmJSGVX9+gQ2V7dvUa9+OJ+L0cdXikizFAsN PublicExponent: jUqtRNX73eymNyMdGOROMs0hDpHj4xy27mTfSDvqhRiMsiCXb/mReynomagFX6e9XQUqlXFw+SREoRDUAVuEXzeYwe0npxZ5et7IYh8vDEHZFoR5/1Yn4ObP7wwsPK8lYQIQKWdu6abXoZeeujC0I4p1/ewlNokqEK8kVx2GYM9c+/ooL3FgsavWBIIAjLXqT2I3spBvIf02HiFcMXloFqBMdib24XP5d0YbLAmPrUMvYoiuNjIhua/4x2CDUQJUANlPv38hyimlw0GDHPf+BOCqrRPOjZCljiuUkm24d1+iE6sX9AB3SCLO+TG9r0uhVkYzB8LiNHIekZobp7jQ6aJRdfiE8lxEfXmZ15Ol1+mlz4DdUWZK6fI2vqARs/yIa4/pJIKKonJaiIqinWCw+mDfVuDkEY/9cWPUA5xlDooVXDbHKDJxmre4QZ6yYEnouso01EvoT8FcgiZpfXvcBY6YldzYMmJSGVX9+gQ2V7dvUa9+OJ+L0Mdl7tn+z4aT PrivateExponent: ajIIzT4KesqfQ5tnQbzP4fBl0Vs3J1Ac+1sGpgIxwDRXkRtRYKXvKSQZMgdPZNREWjzobSnbSZTcwnk7WQocLua1wSgEX8eZuXO2RZj01Biv27PfJbfORKTp2h3bW0xRMPSuuitF6D1MRfKU4JFuwl7SYujvYs7pJOukn8X/aDQJ5gpmVSk5mBuSUf39nfrrU8HsL61PxuTXQwILhtwTEX3VxRlwnVEk5K/baffnyFDF+cJCXwG1Uq8i9QaocY3l1/vaxrGX5L92A7ZncD25+6dTZFRS0NLixKnGf56QfQC/mQlLuM6GlYU6wRZ3CkhhYP+W+/fa2dK708Psy6kUb8vM0Ney0WLQWvk0SuH7MYkLNMjYkEIMQShh4+93TWE6b26yrw+f6zvzbj8kD7OAoJjvBDT8jJPDV7u3zQYtJKDu6sca9SNvwJV4ff4/QqMp0cxo6/3iUP6Ki4okmK6PpiELwDbDxUiLTR1yCYNfsXaz1aJs5RfOMBu2RZ8UCiM= Prime1: 7r7gPva0az8xg/XH59Yix17DFYJ961FRVPeGH1I5yio7yaQ3hxi+af0bnnHwvBqZFMFG3nN9jxROj34CGIa7w/DQvkbPloLzV6jw0EI9rcadgw1RLx/oZZkbAS8iePcei7c0WGbihmV2zh4wovS/KNKZ8ecGDx+3sEBVSXjqIUEuNjF/rZtR9Ck6FVVcJILWOkRHtv041PMxMYgiib+BoVe6B3M2wAn06XebHLsFlX9wlFSXhUPl3mdkb3/UQDi5 Prime2: l4DE07QcysuXIRCuDVkU2XvouQn1O3mXtFVNBiJrEQnMFNtQC2Thb0lKlsPii0UAO8p8c4ff4C1sU25Q/ununmMBp7Af+XuYCd/c9iQzqAsRHXP068TQPmqELoIj5k6jmFxculrmhQJAR8JwiRNlVRdrevfuNPMiB9E8cZY6dO2IhOQYz+ITTOwEvaX9KQjYMu/4H0xSyipzx/Hbw/1Gmf1HEydXFON3v+XTGW/FjqX9Qz60xRK4kcIOCLAkxtL1 Exponent1: Zp7rGkmKvAT+XBnoQ9gn7Hb18j6JvFalHUFaxd5bcTDOByz3GzEl4DjHUvWZBJ9zP2Fkbo19WxAuF3VjDFaOvYHMt/rwQjWxMlIY1ttLZgU6J2xe6fupaBU59sSitj3+lziQFdXWx+5RLpg8wY47rrJt1FpuleVlO+v9cF3tCF3Ya+vox/1G5e6W1BP6F9YtZ3A6r3TKlds1rQJ1te9IeovbPpjZaR1qt96qFf+x81WsfUIhl1MT+cPKuKgSKcU7 Exponent2: b1jlIKE3nYqdmWSOfa2uk71LVR9PLkBKQBxB6uW+b1D2CEVM1Cd4uTXIQ5eHKx1h4oVIAUoK13Pz1fyYsMGzKTZN4vN/gVU6MAwaHuL7VjdTmQJ0VR43hFaJDxv3scR/fVKX6LSbw6bxV+fjXWtpvYk4lNQ/DMznJ6fKrIhHD76ZwEPK84exs4o6ce1Ksk8XRhc+0GPJNmfv3Xc9c2Ic56IyyKJOsCunU9iY1TNTYq2vNpt0rSxOTrBBhG6p4UoP Coefficient: CAoHtUJAwjjzFe4Sbpx0KetgIr3MGMYiGB7fvr6Qw1FLv6uSkPMdHdrEUNEZHrBJqcvBjlRtoZARJSiVpgKgRY9RjtoiVlNQAFazne+SkEPwBry2duAkwaroAGiBynnf77WiuINsjk9ZS9g8Sfa6nhkEgVN9j+kGGUjKle2gqIObhTLCbH7RcXkQUvDvgPACto706LLwcQGILnaE2zJ5LPUPhwS+nYACb1aJ02jHFUOy1s10ZdFK1Cd5/zjRk1Wt
Kexample.+008+44658.key
Description: application/pgp-keys
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
