On Thu, Oct 1, 2015 at 7:08 PM, Shumon Huque <[email protected]> wrote:
> On Thu, Oct 1, 2015 at 3:02 PM, Dave Lawrence <[email protected]> wrote: > >> Does anyone have a chart handy of the rdata length of the RRSIGs >> generated using different algorithms? It seems to me that I have seen >> such a summary (possibly even one I made myself years ago, in notes) >> but am not able to find it now. >> >> > Don't have a chart handy, but to quickly answer: if you just want the > signature portion of the RRSIG RDATA (ie. excluding the parameters: > signature inception/expiration, algorithm/protocol numbers etc), then the > RSA signatures are the same as the keysize, so an 2048-bit RSASHA256 (or > RSASHA1) algorithm will have a 2048-bit signature. The ECDSA algorithms > will have signatures twice the size of the curvepoint, so ECDSAP256 will > have a 512-bit signature, and ECDSAP356 will have a 768-bit signature. > > The rest of the RRSIG parameters add a small fixed size to the rdata. > One small correction: one of the parameters, the signer's name, is a variable length domain name, so the last statement I made was not correct! Shumon.
