> That is fine, but so is 1024 bit KSKs. The text in RFC 4641bis makes it > clear that KSKs should be rollable in case of an emergency; the effort to > do so is greater, but not that much greater, than rolling a ZSK.
Considering the necessity of getting new DS/DLV records into the parent/DLV zones and/or getting public keys properly distributed to everyone who needs them (either directly or via ITAR or other key repositories) it sure seems to me that the effort to roll a KSK is "that much greater". Rolling a ZSK doesn't require coordination with anyone else. > The WG should decide which seems better to recommend: > > a) KSKs longer than ZSKs because KSKs are thought of as needing to be > stronger > > b) KSKs the same strength as ZSKs because neither should be weak enough > to be attacked > > I prefer (b), but (a) keeps coming up in this discussion. It's a little imprecise, but I'm inclined to think of key lifetime as an aspect of key strength. A 1024-bit key that rolls over every week may be "stronger", in a sense, than a 2048-bit key that stays around for twenty years--the second one could be broken within its lifetime, the first one probably not. IMHO it's reasonable to make recommendations with that tradeoff in mind; a ZSK may be as long as a KSK, or it may be shorter if it's rolled over more frequently. (I think 4641bis already says something along those lines.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop