Follow-up from "Resolve "Remove support for insecure RSAMD5""
The following discussion from !1106 (merged) should be addressed:
-
@matthijs started a discussion: (+2 comments) This comes from RFC 3110, section 4: Performance Considerations:
A public exponent of 3 minimizes the effort needed to verify a signature. Use of 3 as the public exponent is weak for confidentiality uses since, if the same data can be collected encrypted under three different keys with an exponent of 3 then, using the Chinese Remainder Theorem [NETSEC], the original plain text can be easily recovered. If a key is known to be used only for authentication, as is the case with DNSSEC, then an exponent of 3 is acceptable. However other applications in the future may wish to leverage DNS distributed keys for applications that do require confidentiality. For keys which might have such other uses, a more conservative choice would be 65537 (F4, the fourth fermat number).
I don't know if nowadays there are more weak exponents, I don't know if other RFC advises against other public exponent values. I would suggest to leave the check as is and update the
XXXOND
documentation with the RFC 3110 reference.