On Tuesday, May 22, 2018 at 1:27:16 PM UTC-4, Ryan Sleevi wrote: > On Tue, May 22, 2018 at 1:03 PM, Paul Wouters <p...@nohats.ca> wrote: > > > I know of 12400 512 bit RSA ZSK's in a total of about 6.5 million. And I > > consider those to be an operational mistake. > > http://tma.ifip.org/wordpress/wp-content/uploads/2017/06/tma2017_paper58.pdf > has some fairly damning empirical data about the reliability of those > records, which is not in line with your anecdata.
One of the reasons that the number of 512-bit keys is indeed now only ~12k (and gradually decreasing) is rooted in a passing comment in that paper: "The majority of them can be attributed to a hosting provider below cz." As it turns out, I played a role in remediating that problem: https://lists.dns-oarc.net/pipermail/dns-operations/2017-October/016880.html My focus is more operational than academic, so instead of writing a paper, I posted to the dns-operations list, and not long after that post the folks at "wedos.cz" resigned all the zones in question with 1024-bit or better keys. It remains to address the same issue at approximately three providers to essentially eliminate 512-bit keys from DNSSEC: https://twitter.com/VDukhovni/status/998341243800301568 So no, Pauls numbers are not "anecdata" and it is unwise to imply such a thing without knowing the full story. The DANE survey is identifying, publicizing and driving remediation of various neglected aspects of DNSSEC operations, and the overall ecosystem is getting considerably healthier than it was back in 2014. -- Viktor. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy