Return-Path: X-Original-To: dnsop@mail2.ietf.org Delivered-To: dnsop@mail2.ietf.org Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 665DCBB0CD29 for ; Fri, 20 Feb 2026 19:50:43 -0800 (PST) X-Virus-Scanned: amavisd-new at ietf.org X-Spam-Flag: NO X-Spam-Score: -1.701 X-Spam-Level: X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=mukund.org Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZcJtUvyJ0QY0 for ; Fri, 20 Feb 2026 19:50:42 -0800 (PST) Received: from mx.mukund.org (mx.mukund.org [IPv6:2a01:4f8:13a:28c1:1::d8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3F662BB0CD1D for ; Fri, 20 Feb 2026 19:50:42 -0800 (PST) Date: Sat, 21 Feb 2026 03:50:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1771645834; bh=LCmnKx3Ly7k0m7rJVtIw1N8taXrOSZ6glVzuOlOBPkc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YOycCZiEC/s/i1eIJOD97J/H5Kyzo3C9j8ssLsE2Ef7dg0RPeD6mlCLi5lZiyBrUM ETuMRGg5CzRHDXUexbLtHl79RIX7f9Wt/QFw2Fe2AwK9LNGBZJ9puM5MKHC24Cb73C vwrblFPhcq6bzmzeAKSotV/0i+9K8uKKcVEgD0tNUrm9pIh/jgvFrC/uR9hGAyPmo0 hRpa3JYtCMu5nnIa833+/WIAWOEQ5ch7mrgQ6JCiLW4Eza6/4g7Pt32p+a7Cz4A17b NneU2UuN9IgLNlQEiPSRmSDopNTRRHQ+YAXjxywgA6NK9GeVxalTVIe50Q9PIbt18u s9NbZ2Di3exjg== From: Mukund Sivaraman To: Kazunori Fujiwara Message-ID: References: <20260210.162822.769915785065787587.fujiwara@wide.ad.jp> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="fzNoPz5V2WUAWkFy" Content-Disposition: inline In-Reply-To: <20260210.162822.769915785065787587.fujiwara@wide.ad.jp> Message-ID-Hash: YEWGRBN6QBT6KG666LUT5IG53DWZEG2H X-Message-ID-Hash: YEWGRBN6QBT6KG666LUT5IG53DWZEG2H X-MailFrom: muks@mukund.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: dnsop@ietf.org X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_draft-fujiwara-dnsop-dns-upper-limit-values-05?= List-Id: IETF DNSOP WG mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --fzNoPz5V2WUAWkFy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Dear Fujiwara san, On Tue, Feb 10, 2026 at 04:28:22PM +0900, Kazunori Fujiwara wrote: > Dear dnsop WG, > > Authors submitted draft-fujiwara-dnsop-dns-upper-limit-values-05. > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-dns-upper-limit-values/ Would you also consider adding a limit on the size of the RSA public exponent "e" in the DNSSEC validation path? There is no low limit on the public exponent in PKCS #1 (it can be up to modulus - 1). While the RSA modulus itself is limited by DNS RFCs 3110 and 5702 to a max of 4096 bits, there is no limit on the public exponent (it can be up to modulus - 1). Having a small RSA public exponent is important for efficient RSA signature validation, otherwise validation performance can be significantly degraded. RFC 3110 recommends that it be small, but this doesn't prevent an attacker from using a high value. FIPS 186-5 and NIST 800-56B specify 2^16 < e < 2^256, but there are several TLDs still using e=3, so the lower limit cannot be 65537. There should be a high limit. Crypto libraries may limit the RSA public exponent. For example, current OpenSSL master HEAD limits it as below in the signature verify path: /* for large moduli, enforce exponent limit */ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); return -1; } } where OPENSSL_RSA_SMALL_MODULUS_BITS is 3072, and OPENSSL_RSA_MAX_PUBEXP_BITS is 64. However if the modulus size is 3072 bits, the public exponent is unchecked and can be up to 3072 bits. Some crypto libraries may not limit "e" at all. This may not be an issue in some other applications, but performance of DNSSEC validation at resolvers can be severely affected if it is used unchecked. So, it would be sensible to limit the RSA public exponent size at the application layer (DNSSEC validator). BIND has limited it since at least 2012. Loop derived from BIND and also has had the limit (though the limits were changed in Loop last year as part of OpenSSL 3 rewrite of the crypto code). I am not familiar with other implementations. A sample RSA keypair with a 3072-bit RSA public exponent is attached. It causes validation performance to drop by orders of magnitude if "e" is not checked in the DNSSEC validator linked against OpenSSL. Sample times for verifying 4096 RRsets: +---------------------------------+---------------+----------+ | CPU (single core/thread) | log_2(e)=3072 | e=65537 | +---------------------------------+---------------+----------+ | Intel(R) Core(TM) Ultra 9 275HX | 31.275s | 0.356s | +---------------------------------+---------------+----------+ | ARM Cortex-A76 (Raspberry Pi 5) | 311.289s | 2.498s | +---------------------------------+---------------+----------+ Mukund --fzNoPz5V2WUAWkFy Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="Kexample.+008+44658.private" Private-key-format: v1.3 Algorithm: 8 (RSASHA256) Modulus: jUqtRNX73eymNyMdGOROMs0hDpHj4xy27mTfSDvqhRiMsiCXb/mReynomagFX6e9XQUqlXFw+SREoRDUAVuEXzeYwe0npxZ5et7IYh8vDEHZFoR5/1Yn4ObP7wwsPK8lYQIQKWdu6abXoZeeujC0I4p1/ewlNokqEK8kVx2GYM9c+/ooL3FgsavWBIIAjLXqT2I3spBvIf02HiFcMXloFqBMdib24XP5d0YbLAmPrUMvYoiuNjIhua/4x2CDUQJUANlPv38hyimlw0GDHPf+BOCqrRPOjZCljiuUkm24d1+iE6sX9AB3SCLO+TG9r0uhVkYzB8LiNHIekZobp7jQ6aJRdfiE8lxEfXmZ15Ol1+mlz4DdUWZK6fI2vqARs/yIa4/pJIKKonJaiIqinWCw+mDfVuDkEY/9cWPUA5xlDooVXDbHKDJxmre4QZ6yYEnouso01EvoT8FcgiZpfXvcBY6YldzYMmJSGVX9+gQ2V7dvUa9+OJ+L0cdXikizFAsN PublicExponent: jUqtRNX73eymNyMdGOROMs0hDpHj4xy27mTfSDvqhRiMsiCXb/mReynomagFX6e9XQUqlXFw+SREoRDUAVuEXzeYwe0npxZ5et7IYh8vDEHZFoR5/1Yn4ObP7wwsPK8lYQIQKWdu6abXoZeeujC0I4p1/ewlNokqEK8kVx2GYM9c+/ooL3FgsavWBIIAjLXqT2I3spBvIf02HiFcMXloFqBMdib24XP5d0YbLAmPrUMvYoiuNjIhua/4x2CDUQJUANlPv38hyimlw0GDHPf+BOCqrRPOjZCljiuUkm24d1+iE6sX9AB3SCLO+TG9r0uhVkYzB8LiNHIekZobp7jQ6aJRdfiE8lxEfXmZ15Ol1+mlz4DdUWZK6fI2vqARs/yIa4/pJIKKonJaiIqinWCw+mDfVuDkEY/9cWPUA5xlDooVXDbHKDJxmre4QZ6yYEnouso01EvoT8FcgiZpfXvcBY6YldzYMmJSGVX9+gQ2V7dvUa9+OJ+L0Mdl7tn+z4aT PrivateExponent: ajIIzT4KesqfQ5tnQbzP4fBl0Vs3J1Ac+1sGpgIxwDRXkRtRYKXvKSQZMgdPZNREWjzobSnbSZTcwnk7WQocLua1wSgEX8eZuXO2RZj01Biv27PfJbfORKTp2h3bW0xRMPSuuitF6D1MRfKU4JFuwl7SYujvYs7pJOukn8X/aDQJ5gpmVSk5mBuSUf39nfrrU8HsL61PxuTXQwILhtwTEX3VxRlwnVEk5K/baffnyFDF+cJCXwG1Uq8i9QaocY3l1/vaxrGX5L92A7ZncD25+6dTZFRS0NLixKnGf56QfQC/mQlLuM6GlYU6wRZ3CkhhYP+W+/fa2dK708Psy6kUb8vM0Ney0WLQWvk0SuH7MYkLNMjYkEIMQShh4+93TWE6b26yrw+f6zvzbj8kD7OAoJjvBDT8jJPDV7u3zQYtJKDu6sca9SNvwJV4ff4/QqMp0cxo6/3iUP6Ki4okmK6PpiELwDbDxUiLTR1yCYNfsXaz1aJs5RfOMBu2RZ8UCiM= Prime1: 7r7gPva0az8xg/XH59Yix17DFYJ961FRVPeGH1I5yio7yaQ3hxi+af0bnnHwvBqZFMFG3nN9jxROj34CGIa7w/DQvkbPloLzV6jw0EI9rcadgw1RLx/oZZkbAS8iePcei7c0WGbihmV2zh4wovS/KNKZ8ecGDx+3sEBVSXjqIUEuNjF/rZtR9Ck6FVVcJILWOkRHtv041PMxMYgiib+BoVe6B3M2wAn06XebHLsFlX9wlFSXhUPl3mdkb3/UQDi5 Prime2: l4DE07QcysuXIRCuDVkU2XvouQn1O3mXtFVNBiJrEQnMFNtQC2Thb0lKlsPii0UAO8p8c4ff4C1sU25Q/ununmMBp7Af+XuYCd/c9iQzqAsRHXP068TQPmqELoIj5k6jmFxculrmhQJAR8JwiRNlVRdrevfuNPMiB9E8cZY6dO2IhOQYz+ITTOwEvaX9KQjYMu/4H0xSyipzx/Hbw/1Gmf1HEydXFON3v+XTGW/FjqX9Qz60xRK4kcIOCLAkxtL1 Exponent1: Zp7rGkmKvAT+XBnoQ9gn7Hb18j6JvFalHUFaxd5bcTDOByz3GzEl4DjHUvWZBJ9zP2Fkbo19WxAuF3VjDFaOvYHMt/rwQjWxMlIY1ttLZgU6J2xe6fupaBU59sSitj3+lziQFdXWx+5RLpg8wY47rrJt1FpuleVlO+v9cF3tCF3Ya+vox/1G5e6W1BP6F9YtZ3A6r3TKlds1rQJ1te9IeovbPpjZaR1qt96qFf+x81WsfUIhl1MT+cPKuKgSKcU7 Exponent2: b1jlIKE3nYqdmWSOfa2uk71LVR9PLkBKQBxB6uW+b1D2CEVM1Cd4uTXIQ5eHKx1h4oVIAUoK13Pz1fyYsMGzKTZN4vN/gVU6MAwaHuL7VjdTmQJ0VR43hFaJDxv3scR/fVKX6LSbw6bxV+fjXWtpvYk4lNQ/DMznJ6fKrIhHD76ZwEPK84exs4o6ce1Ksk8XRhc+0GPJNmfv3Xc9c2Ic56IyyKJOsCunU9iY1TNTYq2vNpt0rSxOTrBBhG6p4UoP Coefficient: CAoHtUJAwjjzFe4Sbpx0KetgIr3MGMYiGB7fvr6Qw1FLv6uSkPMdHdrEUNEZHrBJqcvBjlRtoZARJSiVpgKgRY9RjtoiVlNQAFazne+SkEPwBry2duAkwaroAGiBynnf77WiuINsjk9ZS9g8Sfa6nhkEgVN9j+kGGUjKle2gqIObhTLCbH7RcXkQUvDvgPACto706LLwcQGILnaE2zJ5LPUPhwS+nYACb1aJ02jHFUOy1s10ZdFK1Cd5/zjRk1Wt --fzNoPz5V2WUAWkFy Content-Type: application/pgp-keys Content-Disposition: attachment; filename="Kexample.+008+44658.key" example. IN DNSKEY 257 3 8 AAGAjUqtRNX73eymNyMdGOROMs0hDpHj4xy27mTfSDvqhRiMsiCXb/mReynomagFX6e9XQUqlXFw+SREoRDUAVuEXzeYwe0npxZ5et7IYh8vDEHZFoR5/1Yn4ObP7wwsPK8lYQIQKWdu6abXoZeeujC0I4p1/ewlNokqEK8kVx2GYM9c+/ooL3FgsavWBIIAjLXqT2I3spBvIf02HiFcMXloFqBMdib24XP5d0YbLAmPrUMvYoiuNjIhua/4x2CDUQJUANlPv38hyimlw0GDHPf+BOCqrRPOjZCljiuUkm24d1+iE6sX9AB3SCLO+TG9r0uhVkYzB8LiNHIekZobp7jQ6aJRdfiE8lxEfXmZ15Ol1+mlz4DdUWZK6fI2vqARs/yIa4/pJIKKonJaiIqinWCw+mDfVuDkEY/9cWPUA5xlDooVXDbHKDJxmre4QZ6yYEnouso01EvoT8FcgiZpfXvcBY6YldzYMmJSGVX9+gQ2V7dvUa9+OJ+L0Mdl7tn+z4aTjUqtRNX73eymNyMdGOROMs0hDpHj4xy27mTfSDvqhRiMsiCXb/mReynomagFX6e9XQUqlXFw+SREoRDUAVuEXzeYwe0npxZ5et7IYh8vDEHZFoR5/1Yn4ObP7wwsPK8lYQIQKWdu6abXoZeeujC0I4p1/ewlNokqEK8kVx2GYM9c+/ooL3FgsavWBIIAjLXqT2I3spBvIf02HiFcMXloFqBMdib24XP5d0YbLAmPrUMvYoiuNjIhua/4x2CDUQJUANlPv38hyimlw0GDHPf+BOCqrRPOjZCljiuUkm24d1+iE6sX9AB3SCLO+TG9r0uhVkYzB8LiNHIekZobp7jQ6aJRdfiE8lxEfXmZ15Ol1+mlz4DdUWZK6fI2vqARs/yIa4/pJIKKonJaiIqinWCw+mDfVuDkEY/9cWPUA5xlDooVXDbHKDJxmre4QZ6yYEnouso01Ev oT8FcgiZpfXvcBY6YldzYMmJSGVX9+gQ2V7dvUa9+OJ+L0cdXikizFAsN --fzNoPz5V2WUAWkFy--