On Mar 27, 2014, at 7:22 AM, Joe Abley <jab...@hopcount.ca> wrote: > > On 27 Mar 2014, at 22:56, Nicholas Weaver <nwea...@icsi.berkeley.edu> wrote: > >> Bits are not precious: Until a DNS reply hits the fragmentation limit of >> ~1500B, size-matters-not (tm, Yoda Inc). >> >> So why are both root and com and org and, well, just about everyone else >> using 1024b keys for the actual signing? > > Those requirements (for the root zone keys) came from NTIA via NIST: > > http://www.ntia.doc.gov/files/ntia/publications/dnssec_requirements_102909.pdf > (9)(a)(i) > > (well, NIST specified a minimum key size, but the implication at the time was > that that was a safe minimum).
Obligatory Snarky Note: these being the same people who, after 2007, said that, although you can create your own constants, you MUST still use the specified magic constants for Dual_EC_DRBG if you wanted certification, even though it was shown that whoever generated the magic constants could have placed a backdoor in them... But seriously: it was clear back a decade ago that 1024b RSA should be depricated in 2010: (current) http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf (historical) http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf 1024b RSA is really considered by NIST as only ~80 bits symmetric strength equivalent. > Bear in mind, I guess, that these keys have a publication lifetime that is > relatively short. The window in which a factoring attack has an opportunity > to find a result that can be exploited as a compromise is fairly narrow. Except that if I'm in a position to actually use an old-factored root key, I'm probably also in a position to F-up your NTP. How many computers complain bloody murder if the NTP server says "oh, you're clock is wrong by 20 days (or 200 days), here you go"? And even if they do, how many users understand what that would mean? And "relatively short" is still two weeks. That is well within range of a nation-state adversary willing to build a custom sieving machine. Look at how much SHA256 power has been generated with a well under $50M aggregate spending: its 35 PHash/s! We do want DNSSEC to work in the face of a nation state adversary, no? Do you want to bet that the NSA has not already built a 1024b RSA factoring machine? Likewise, we do want the ability to do historical things, no? E.g. DNSSEC signature at time T to attest to a fact, using the captured DNSSEC validation chain at the time? Frankly speaking, since the root uses NSEC rather than NSEC3, IMO it should be 4096b for both the KSK and ZSK. But I'd be happy with 2048b. Using 1024b is a recipe to ensure that DNSSEC is not taken seriously. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop