On Fri, 24 Apr 2009, Evan Hunt wrote:
a) KSKs longer than ZSKs because KSKs are thought of as needing to be
stronger
b) KSKs the same strength as ZSKs because neither should be weak enough
to be attacked
I prefer (b), but (a) keeps coming up in this discussion.
It's a little imprecise, but I'm inclined to think of key lifetime as an
aspect of key strength. A 1024-bit key that rolls over every week may be
"stronger", in a sense, than a 2048-bit key that stays around for twenty
years--the second one could be broken within its lifetime, the first one
probably not.
But the essential part is that once you see, say after 10 years, that the KSK
2048 bit key comes into the "feasable but impractial" scale of things due
to advacements in math or technology, that you can decided to roll it over
fairly quickly.
IMHO it's reasonable to make recommendations with that tradeoff in mind; a
ZSK may be as long as a KSK, or it may be shorter if it's rolled over more
frequently. (I think 4641bis already says something along those lines.)
What I was told by my "lunching cryptographer" was that 1024bits were more
then enough even for multi year KSK's, assuming sining only, no encryption.
From a cryptography strength point of view, more is always better,
but now you need to consider work done by you and resolvers, and space
constrictions with the DNS packet size.
I don't see a cryptographic reason for Paul Hoffman's "I'd like the keys to
be of equal size". Unless you'd argue that the KSK could easilly also be
1024bit, and that the additional 11 months of validity of the KSK is
negligable compared to the time now upto 3 years from now, to break a 1024
bit RSA key.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
