Hi Scott,
At 10:13 02-04-2014, Rose, Scott wrote:
The only DNSSEC related NIST SP's are 800-57 and 800-81-2. SP
800-57 is in 3 parts, part one is general key considerations and
part 3 covers specific uses like DNSSEC. It's showing its age though.
The US Federal policy (now) is 2048 bit RSA for all uses, DNSSEC has
a special exemption for 1024 bit ZSK's if desired (to reduce risks
of fragmented packets). I do know some .gov zones using 2048 bit
KSK and ZSK's as local policies can call for stronger keys. By
2015, .gov/mil zones should migrate to ECDSA. Not sure if that will
happen given the track record, but that is the roadmap.
Thanks for the above information. Adding to it, 1024-bit RSA keys
are allowed until 2015. There is an explanation about that
recommendation, i.e. it's not only about packet size.
Regards,
S. Moonesamy
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop