I had some people from a company which sported a DNSSEC KSK key tag (or key ID) of 61000, which tickled my fancy, and as things go, one thing leads to another, you click here, you click there, and suddenly there’s this post about generating vanity DNSSEC key tags. I was in relax mode, so I experimented with a slightly different version. Which nice-looking key tags can I get?



for d in {1..1000}; do
    mkdir -p $d
    for i in {1..100}; do

        id=$(dnssec-keygen -K $d -a 13 -fk $zone | cut -f3 -d'+')
        echo $id >> $d/keytags.txt
    sleep 5

I ran the key generations on a fast workstation and occasionally glanced at what had so far been produced:

$ egrep '(1111|2222|3333|4444|0000|5555|6666|7777|8888|9999)' */keytags.txt |
	awk -F: '{ print $2, $1 }' |
	sort -rn
11110 504/keytags.txt
07777 193/keytags.txt
05555 118/keytags.txt
05555 350/keytags.txt
00006 385/keytags.txt
00005 132/keytags.txt

After having 65,000 keys with 41,000 unique key tags generated, the moment of great decision approached: which of all the lovely numbers to take? I settled for the one and only:

DNSViz view of key

I’ve frequently mentioned I’m not a fan of key rollovers, but hey, this is different, right? ;-)

Then comes @Shaft and spoils my day: ;-)

John Shaft's comment about vanity NSEC3 records ;)

I was humming Carly Simon’s song “You’re So Vain” this morning, but she couldn’t have meant me: when she wrote the song in 1971 there was no DNS, let alone DNSSEC. :-)

dnssec and fun :: 11 Oct 2021 :: e-mail