Bits are not precious: Until a DNS reply hits the fragmentation limit of ~1500B, size-matters-not (tm, Yoda Inc).
So why are both root and com and org and, well, just about everyone else using 1024b keys for the actual signing? The biggest blobs of typical DNSSEC data are NSEC3 responses, and upping the key size to 2048b everywhere will not cause widespread fragmentation issues (4096b will... but only on those NSEC3 blobbies which require three RRSIGs, you can get non-NSEC3 responses to fit under that limit in most cases as those require only one or perhaps two RRSIGs) 1024B is unquestionably too weak, 768-bit RSA has been factored in 2010 as a low resource academic project: http://eprint.iacr.org/2010/006.pdf and 1024B is estimated at only "a thousand times harder". RSA 768 took just 1,500 CPU-years on the fully parallelizeable sieving step, and 4 days of total time (but only 12 hours of successful computation) on a couple of ~35 node clusters. And, frankly speaking, a 3500 node cluster for a day is $75K thanks to EC2. Do you really want someone like me to try to get an EC2 academic grant for the cluster and a big slashdot/boingboing crowd for the sieving to factor the root ZSK? So why the hell do the real operators of DNSSEC that matters, notably com and ., use 1024b RSA keys? And don't give me that key-roll BS: Give me an out of date key for . and a MitM position, and I can basically create a false world for many DNSSEC-validating devices by also providing bogus time data with a MitM on NTP... IMO, it is time for DNSSEC software to refuse to generate new RSA keys less than 2048b in length, and for the TLD and root operators to ditch short keys into the trash heap of history. Well, the time was actually a decade ago, but hey... If people actually want DNSSEC to be taken seriously as a PKI-type resource (a'la DANE), the DNS community needs to actually, well, use secure crypto. 1024b RSA is not secure. Go Big or Go Home. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
