Let me clarify things a bit,
The root ZSK key is 1024 because of assumed packet size issues.
nohats.ca is currently publishing 3 2048 bit keys, and has a message
size as reported by dig of 1163. That's even under 1500 (and came in on
UDP). So what's the problem of moving the root ZSK to 2048?
The current root DNSKEY RRset 736 bytes. More when there is a key rollover.
Provided packet size is an issue, how many TLDs would these problematic
clients not be able to resolve? Let's see (scriptkidiedescript):
DNSKEY RRset sizes vary between 569 and 2969 bytes.
Top twenty sizes:
count TLD
42 983
37 980
31 986
28 989
27 977
26 747
25 893
20 745
18 1340
17 995
17 1621
16 897
16 1175
16 1171
15 907
15 749
14 895
14 1337
14 1169
13 992
12 974
12 1629
12 1334
59 TLDs out of 840 TLDs (or 7%) with DNSKEYs are larger than 1500:
2 2969
2 1898
1 1788
1 1693
2 1669
6 1657
2 1641
12 1629
8 1625
17 1621
2 1567
4 1537
Probably if you track these for a few months to capture all TLD rollovers,
the number of TLDs that are ever in a size > 1500 is much higher.
Then of course, how many second and third level domains just run with
only 2048 bit KSK/ZSKs? All of those would currently cause problems
despite the root 1024 ZSK "accomodating" them on the first step of the
validation process.
In other words, which ever clients cannot handle a root ZSK of 2048
already has a severe problem with DNS. I don't think we would be adding
much of a problem by just switching to 2048 today.
Of course, once you believe we can do a ZSK of 2048, there is no urgency
to move to ECDSA and we can wait on the CRFG to come up with a non-DSA
ECC algorithm for us.
As an aside, you can sign your zone's DNSKEY RRset with only the KSK,
but some zones still sign it with both ZSK and KSK. The root signs with
just the KSK.
And as an example, this is the root DNSKEY RRset:
; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-16.P2.fc19 <<>> +dnssec
dnskey .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6705
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 137698 IN DNSKEY 256 3 8
AwEAAe3fSrbLBy3LOS7pnxEUhvPZTE2H5dIGsI/UfruI/nOEvWWa/PSX
2BFedBkEqOlYdjdNF2f+6lmfk2Od/xu0v5bVqxFE+/24v3hZSlWBxvXz
PTAGHrbW/IJYEPqlzVOAS4XdUgHg0N7IbLywNHMvB+Yf+Nm6ctyXXFLV 4WTNnzs7
. 137698 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 137698 IN RRSIG DNSKEY 8 0 172800
20150125235959 20150111000000 19036 .
XadYgN9kxC9kchTC9Vqsl+WOgyWghjw1CWpiG42xjdpxd9EkHQLkJd3g
rhzZNJ1VYJk1B2Czx1Lh2tM0ctUXDXKs3+IGqcbY141TTj6q6lQdtkuw
kTLkuGIyZYd2rEt0oX0MV6HSUXejmPbe66EpkwrfQ+wBGpPkrGk1IbCr
qZ8g8CpvTkCx68Z0NC1oD93Pfc8zTH5jyA0r4Lj/p/S2NrP4BtEAatvM
WtboFfgY2duy7glWDbvO55QTaTygdrBQgf4l4+SU8LBRdEA5jSSQLSed
rB2lL933VRUujmFtSO6XK39SK0s2CSbcxeBBhtLefHOn7HPAY2g37pNj KN47LQ==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 19 14:54:27 EST 2015
;; MSG SIZE rcvd: 736
And this is .au:
; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-16.P2.fc19 <<>> +dnssec
dnskey au +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2995
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;au. IN DNSKEY
;; ANSWER SECTION:
au. 84726 IN DNSKEY 256 3 8 (
AwEAAbYbMN6XklMRQZV45zPkpfgKuE99d7ffemBlJfIV
99qq1x6QK22V+nRjPsp1LyrgMqrHMdBimsbbjYPN8NA8
25kgFMKpJXG2fJMCmsn2OwGhZ8UembIHhpCIfnBRdoBA
VQdgCYV+hrfLB3MWsUQUlQWSLITsbfU+4IZJJ9RfVxLY
iVZ3GfBv+3QVi4uvy0uFElCl4nuOsKg1t2UMn3peE1s=
) ; ZSK; alg = RSASHA256; key id = 48759
au. 84726 IN DNSKEY 257 3 8 (
AwEAAcFzdKOB1r9JFKuXUMg9E0VKmr3gJU+nJYn0w3gF
NYrDY/oXPQpxAFznHgKtamqXJ4jO6hacAFguStvXoKQe
De74vdRatwMR1b0I2gMHmIlyd0cfvE7oLxLBop9rKzSi
00RFFa6MXmaHuHsNWUOGwlzIsI3sWTpeSTUQ1Nzn+96M
zBY6yNDm4abtSlt9ptPU5JSomAB7bgHt69SxEUOHfrZo
T5u8X1fCIyZ/cS6SmR+sbU00qJ2PD+cmGWELpQgrXUOw
xm3+6qO5+0MEHMvKTAkWVGlj4wj2W/TxYw2ZpAoJbdA3
XKry7S0c2Mha22CgQBku7EpxBi4WjojRGzuBIoU=
) ; KSK; alg = RSASHA256; key id = 5381
au. 84726 IN DNSKEY 257 3 8 (
AwEAAbOSMtg7G2ixOlGPuhFhNiI7HUT2lNmgYPsuIzUr
5Rj0SPGv0aJNCWkFkYH87TxYs92JpU+VbLsokXGo9k2Q
vvZktFKZu61sENfOhK6w7DkqiSt2Do0rb5gpZHugr9Ay
S8iwegMumTuD76PjA2d34VrTt02+mqpDq1zGLpeY2kMC
BRQdhxHqX+BhJbCB7ogaz9yj8YEaIZ49dHfHDc9ZrjEc
z71S1YDLpi98yx2RbiaqBRSiH8JrVQrG7lSu2K4PS/A5
tQH2SgljpytW0mIKTtT8vrNVaw8L6uTILjyZqZNhu8Tw
IWRs9Hmz1BFdury6sDEPy2Zq9q0azL7HJBKY4As=
) ; KSK; alg = RSASHA256; key id = 37976
au. 84726 IN RRSIG DNSKEY 8 1 86400 (
20150419093525 20150119085951 5381 au.
E7wBPWwis6t2s4A3X0sIn7CHfgIc+b0HKU5y7ONsncQ+
efn9zdKIgy654ax3Xo9CMk8Qrw2PMicWPXtiDfE4/GVX
LxPZAxrm4LdZgT8xMhVU192Rv+9TGu0/1CbjjzJrSE2g
06h9p8/8PKsOiGKr6rD1oQ9YJg5Js8qRkGTXcNkGOVS1
ThH/xq5mLbpjUijCySiJmrTvazYjMSEl8QZk/iQXWmE2
jM8c38PZmLt45xDVGUDAbct/vKMaWrhs+vraRYaH9IEa
OO6+IkAN2uOtNmTUXNe/lssMSPtwPf2PVxQwtvbUgzdN
db33ESs/whLD/ozuRQPzGcnjHT/vIl9olw== )
au. 84726 IN RRSIG DNSKEY 8 1 86400 (
20150419093525 20150119085951 37976 au.
mjyDoBO/WtZZJV4vbnoCoSsJQxIMypiaSl5cjGtzo2A+
iIXj7INNMrCMtjP5zJKsmDskSgHjWtOOb4xwZvOaFjDh
xkWy/t8ynlvPyEIsPwkKrZ4UbF8vjuEsmGmIeoC8TXts
Dc1nVOTD+oCZGcrJ2HRReStPsqb0aYiO/j2MaaSa4eNh
7ZOCLnyywl6LKcxyR2/afgP0Kvy6qArqGYtZnums8QMb
ECHcP+1J9jhLZ4fQ/PO14xGjebc0BAfOKkq8X4hPqKX4
Qth1k5Xd3yYL30xp4s55uUDzm0iCjRMx2mK2d+092SSj
xRvUmqpLE15S4UgYa+EFmkJlC+auvLQJ6A== )
au. 84726 IN RRSIG DNSKEY 8 1 86400 (
20150419093525 20150119085951 48759 au.
ecRq6vUWcEdxUi90nLc2WaUAmJ2fSmX/AF9jsDNB7rhT
o4Ap7S4ITL5L1YA/V001f5d0hc1c6CkUVz3h2VDVi4gi
SHlVJKoa2vWXicNWe6ym0c5srqCUZ9Q1pi4B1WBHKX5B
UZjQiIueBoV4t9iXIsFxZPaCeYoYk1rUU4J6NaZ2Zps2
XaqOu8tflecLFtEOK3hAU6Gnhg2RkerWwUJcxQ==
)
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 19 14:53:08 EST 2015
;; MSG SIZE rcvd: 1537
So unless Australia is not reachable by a significant portion of the
world doing DNSSEC, the root is not going to see an issue either.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
