On Fri, Feb 26, 2010 at 11:41 AM, Paul Wouters <p...@xelerance.com> wrote: > On Fri, 26 Feb 2010, Eric Rescorla wrote: > >> For >> reasons of signing speed and DNS packet length one may want to keep >> keylenght at a minimal responsible length and change the key >> relatively frequently while not interacting with the parent. >> >> This statement is a non-sequiter. Sure, one may want to keep the keylength >> short to improve signing speed, but since changing the key frequently >> doesn't >> significantly improve security against analysis (as has been covered >> on-list >> ad nauseum), the last half of the sentence doesn't make any sense. > > cycling a 1024 bit RSA key every month does improve the security of a zone, > compared to not cycling the key. > > Cryptanalyses is a function of time (and money). If you reduce the usable > time for attackers, their spending goes up or they will not have enough time > to break the key before it is retired.
Yes, it increases their spending by the ratio of the frequency of the key cycling to the original cycle time. For instance cycling at the rate of monthly instead of a year adds approximately 3.6 bits of security, equivalent to about an 1100 bit of RSA key (calculations here: http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html) As I said, this is a trivial improvement. > The recommended key size and time > in the document reflects current cryptographers extremely conservative > estimate of what is deemed safe by a few orders of magnitudes. Really? Which cryptographers recommend rolling over keys monthly? -Ekr _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
