On Mar 27, 2014, at 6:54 PM, Bill Woodcock <wo...@pch.net> wrote:
>
> On Mar 27, 2014, at 10:14 AM, Matthäus Wander <matthaeus.wan...@uni-due.de>
> wrote:
>> Here's a small statistic about RSA key lengths of 741,552 signed
>> second-level domains (collected on 2014-01-27, counting KSK and ZSKs):
>>
>> 1024 bit: 1298238
>> 2048 bit: 698232
>> 1280 bit: 28441
>> 4096 bit: 25326
>> 512 bit: 8893
>> 1536 bit: 385
>
> Matthäus, do you have an easy way of separating out KSK from ZSK in your
> statistics? FWIW, we’re currently doing 2048-bit KSK and 1024-bit ZSK, but
> will shortly be transitioning to 4096-and-2048.
>
> -Bill
>
Doing these big jumps is the wrong thing to do, increasing the key size
increases three things:
time to generate signatures
bits on the wire
verification time.
I care more about verification time than bits on the wire (as I think that is a
red herring).
Signing time increase is a self inflicted wound so that is immaterial.
sign verify sign/s verify/s
rsa 1024 bits 0.000256s 0.000016s 3902.8 62233.2
rsa 2048 bits 0.001722s 0.000053s 580.7 18852.8
rsa 4096 bits 0.012506s 0.000199s 80.0 5016.8
Thus doubling the key size decreases the verification performance by roughly by
about 70%.
KSK's verification times affect the time to traverse the DNS tree, thus
If 1024 is too short 1280 is fine for now
If 2048 is too short 2400 bit key is much harder to break thus it should be
fine.
just a plea for key use policy sanity not picking on Bill in any way.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
