Hello, Mukund san, Thank you. The verification speed of existing RSA depends on e being small (65537), but there is no limit to using a large e.
I'll think about adding some text as well, and I'd appreciate any additional text you can suggest. Regards, -- Kazunori Fujiwara > From: Mukund Sivaraman <[email protected]> > Dear Fujiwara san, > > On Tue, Feb 10, 2026 at 04:28:22PM +0900, Kazunori Fujiwara wrote: >> Dear dnsop WG, >> >> Authors submitted draft-fujiwara-dnsop-dns-upper-limit-values-05. >> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-dns-upper-limit-values/ > > Would you also consider adding a limit on the size of the RSA public > exponent "e" in the DNSSEC validation path? There is no low limit on the > public exponent in PKCS #1 (it can be up to modulus - 1). While the RSA > modulus itself is limited by DNS RFCs 3110 and 5702 to a max of 4096 > bits, there is no limit on the public exponent (it can be up to modulus > - 1). > > Having a small RSA public exponent is important for efficient RSA > signature validation, otherwise validation performance can be > significantly degraded. RFC 3110 recommends that it be small, but this > doesn't prevent an attacker from using a high value. > > FIPS 186-5 and NIST 800-56B specify 2^16 < e < 2^256, but there are > several TLDs still using e=3, so the lower limit cannot be 65537. There > should be a high limit. > > Crypto libraries may limit the RSA public exponent. For example, current > OpenSSL master HEAD limits it as below in the signature verify path: > > /* for large moduli, enforce exponent limit */ > if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) { > if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) { > ERR_raise(ERR_LIB_RSA, RSA_R_BAD_E_VALUE); > return -1; > } > } > > where OPENSSL_RSA_SMALL_MODULUS_BITS is 3072, and > OPENSSL_RSA_MAX_PUBEXP_BITS is 64. However if the modulus size is 3072 > bits, the public exponent is unchecked and can be up to 3072 bits. Some > crypto libraries may not limit "e" at all. This may not be an issue in > some other applications, but performance of DNSSEC validation at > resolvers can be severely affected if it is used unchecked. > > So, it would be sensible to limit the RSA public exponent size at the > application layer (DNSSEC validator). > > BIND has limited it since at least 2012. Loop derived from BIND and also > has had the limit (though the limits were changed in Loop last year as > part of OpenSSL 3 rewrite of the crypto code). I am not familiar with > other implementations. > > A sample RSA keypair with a 3072-bit RSA public exponent is attached. > It causes validation performance to drop by orders of magnitude if "e" > is not checked in the DNSSEC validator linked against OpenSSL. > > Sample times for verifying 4096 RRsets: > > +---------------------------------+---------------+----------+ > | CPU (single core/thread) | log_2(e)=3072 | e=65537 | > +---------------------------------+---------------+----------+ > | Intel(R) Core(TM) Ultra 9 275HX | 31.275s | 0.356s | > +---------------------------------+---------------+----------+ > | ARM Cortex-A76 (Raspberry Pi 5) | 311.289s | 2.498s | > +---------------------------------+---------------+----------+ > > Mukund _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
