Roland van Rijswijk wrote: >> we did a small research on a secure and recommended keysizes >> and the result was that <1024 RSA keys are insecure (in > fact 512bit > keys can be factorized on common hardware). >> > We came to conclusion that to be on a safe > side the default should be: > > ZSK >= 1280 > bits > KSK >= 2048 bits > > With 1024 > bits safe now, but recommended to be rolled to higher number >> of bits this year. > > These numbers > are just for 2012 and maybe updated as time changes. > > I'm missing some context information here; what made you conclude that > 1024 bits would no longer be safe after 2012?
Some additional context: We also know that certain registrars share KSK and ZSK for thousands of domains, signing RRs on behalf of the users (it's a feature for users that do not want to deal with signign directly). That makes such keys much more valuable (also, using keys in this way is generally not a good idea, but we have to deal with that later). We based the keysizes mostly on the ECRYPT II 2011 report: http://www.ecrypt.eu.org/documents/D.SPA.17.pdf (There is also very, very distilled table on suggested key sizes here: http://www.keylength.com/en/3/) > Doesn't that also depend > on the key rollover frequency used? I would argue that for the > commonly used ZSK rollover frequencies (i.e. 1-3 months) 1024 bit > still suffices. And using a 1024 bit key has distinct benefits since > it reduces the on-the-wire size of signatures as well as the > on-the-wire size of the DNSKEY set. Yes, rollover frequency is a factor, but I agree with Eric Rescorla that key rollover may not add as much security compared to increasing key size: http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html > It is - of course - a different situation for the KSK. I would assume > that to be much longer lived in which case 2048 bit is a pretty safe > bet for the foreseeable future (unless quantum computing becomes a > reality this year ;-) ). Again, my opinion is that anything larger > does not make sense (so I object somewhat to the > greather-than-or-equals sign in your message above) Agreed. A better formulation might be: "minimal KSK RSA modulus size: 2048 bits, recommended size: 2048 bits" (which basically means the same as the greater-than-or-equal-sign :-)) > The last time I checked, the state-of-the-art was that 768-bit is no > longer considered secure (see also > http://arstechnica.com/security/news/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now.ars) > > against brute force attacks but that 1024-bit should be fine for some > years to come. While there is no official record of factoring 1024-bit key, the ECRYPT report mentions claim that 1024-bit key could have been factorized in a worst case scenario (pdf page 37). On following page, RFC 3766 and 4359 are mentioned - RFC 4359 gave 1 year max lifetime to 1024-bit modulus (written in 2006). Chapter 7 sums up minimum key sizes that give protection only for a few months against various attackers (threat model is important when choosing things like key sizes). Ondrej Mikle _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user