On Mon, 19 Jan 2015, Paul Hoffman wrote:
If we want small, short tractable signatures in DNS, moving to eCDSA is easier now than at any other time. We just have to accept we make a lot of DNSSEC clients stop validating until code updates.
A big +1 to this.
A big -1 to this. You suggest basically obsoleting RSA before ECDSA is widely supported. If you want to sunset RSA, write a draft with a clear time table. I don't see why the root zone (or anyone else) currently could not switch the ZSK from 1024 to 2048. I would expect root zone queries including a bigger signature over the DS record would still be much smaller than most zone's APEX with A/AAAA/MX and RRsigs, which already use 2048 RSA keys on top of that. I think the reason it is still 1024 lies more within practical and procedural matters, and do not relate to packet sizes (which is the only argument for ECDSA unless you think the NSA can factor 2048 or even 1024 in trivial amount of time). So for the root, I suspect switching the ZSK from 1024 RSA to 2048 RSA or to ECDSA is the exact same problem. So why drop RSA and cause a lot of invalidation to happen? That would be much more of a reputation damage than the ill-conceived "problem" of current 1024 bit RSA keys. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
