On Mar 27, 2014, at 10:22 AM, Joe Abley <jab...@hopcount.ca> wrote: > > On 27 Mar 2014, at 22:56, Nicholas Weaver <nwea...@icsi.berkeley.edu> wrote: > >> Bits are not precious: Until a DNS reply hits the fragmentation limit of >> ~1500B, size-matters-not (tm, Yoda Inc). >> >> So why are both root and com and org and, well, just about everyone else >> using 1024b keys for the actual signing? > > Those requirements (for the root zone keys) came from NTIA via NIST: > > http://www.ntia.doc.gov/files/ntia/publications/dnssec_requirements_102909.pdf > (9)(a)(i) > > (well, NIST specified a minimum key size, but the implication at the time was > that that was a safe minimum). > Safe enough, but not preferred - it was due to practical concerns at the time. It was set that low (lower than approved for general USG use) mainly because there were unknown devices that had issues with large packet sizes (i.e. keyroll being a problem with low PTMU settings). There are still some issues out there but getting better.
It is likely safe enough now to increase to 2048 for both KSK and ZSK. Zones are doing this now and haven't seen any horror stories. Scott > Bear in mind, I guess, that these keys have a publication lifetime that is > relatively short. The window in which a factoring attack has an opportunity > to find a result that can be exploited as a compromise is fairly narrow. > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop =================================== Scott Rose NIST scott.r...@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ =================================== _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
