Another take on this, which may make some people feel very uncomfortable, is to propose key migration in RSA via a downgrade keylength:
sign with a shorter RSA key, and re-sign with a long one once the original long one is widely deprecated under 5011. 1024-> new512 (!) -> new1024 this avoids having to carry 1024+new2048 because you only ever carry 1024+512. but this is morally the story "roll often" which also makes people unhappy. Its not 'invalidation' outcome Paul: its non-validation. the damage is that you cease to validate, not that you invalidate otherwise valid things. But yes. it has qualities of reputational damage because you promise DNSSEC but for some validators, cannot deliver. On Mon, Jan 19, 2015 at 3:10 PM, Paul Wouters <p...@nohats.ca> wrote: > On Mon, 19 Jan 2015, Paul Hoffman wrote: > > If we want small, short tractable signatures in DNS, moving to eCDSA is >>> easier now than at any other time. We just have to accept we make a lot of >>> DNSSEC clients stop validating until code updates. >>> >> > A big +1 to this. >> > > A big -1 to this. You suggest basically obsoleting RSA before ECDSA is > widely supported. If you want to sunset RSA, write a draft with a clear > time table. > > I don't see why the root zone (or anyone else) currently could not switch > the ZSK from 1024 to 2048. I would expect root zone queries including > a bigger signature over the DS record would still be much smaller than > most zone's APEX with A/AAAA/MX and RRsigs, which already use 2048 RSA > keys on top of that. > > I think the reason it is still 1024 lies more within practical and > procedural matters, and do not relate to packet sizes (which is the > only argument for ECDSA unless you think the NSA can factor 2048 or > even 1024 in trivial amount of time). So for the root, I suspect > switching the ZSK from 1024 RSA to 2048 RSA or to ECDSA is the exact > same problem. So why drop RSA and cause a lot of invalidation to happen? > That would be much more of a reputation damage than the ill-conceived > "problem" of current 1024 bit RSA keys. > > Paul >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
