Re: [Opendnssec-user] Default ZSK sizes

Tue, 24 Jan 2012 08:39:09 -0800 

Hi Ondřej,

On 24 jan 2012, at 17:15, Ondřej Surý wrote:

> we did a small research on a secure and recommended keysizes
> and the result was that <1024 RSA keys are insecure (in fact 512bit
> keys can be factorized on common hardware).
> 
> We came to conclusion that to be on a safe side the default should be:
> 
> ZSK >= 1280 bits
> KSK >= 2048 bits
> 
> With 1024 bits safe now, but recommended to be rolled to higher number
> of bits this year.
> 
> These numbers are just for 2012 and maybe updated as time changes.
> 
> Since almost anybody will just use default numbers in kasp.xml, I propose
> that we bump the default number for ZSK to 1280.
> 
> Any opinions?


I'm missing some context information here; what made you conclude that 1024 
bits would no longer be safe after 2012? Doesn't that also depend on the key 
rollover frequency used? I would argue that for the commonly used ZSK rollover 
frequencies (i.e. 1-3 months) 1024 bit still suffices. And using a 1024 bit key 
has distinct benefits since it reduces the on-the-wire size of signatures as 
well as the on-the-wire size of the DNSKEY set.

It is - of course - a different situation for the KSK. I would assume that to 
be much longer lived in which case 2048 bit is a pretty safe bet for the 
foreseeable future (unless quantum computing becomes a reality this year ;-) ). 
Again, my opinion is that anything larger does not make sense (so I object 
somewhat to the greather-than-or-equals sign in your message above) since that 
impacts the on-the-wire size of DNS responses.

The last time I checked, the state-of-the-art was that 768-bit is no longer 
considered secure (see also 
http://arstechnica.com/security/news/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now.ars)
 against brute force attacks but that 1024-bit should be fine for some years to 
come.

If no new information has become available about optimisations in factoring RSA 
moduli I see no reason to increase the recommended ZSK size under the 
assumption that the ZSK lifetime is 3 months or less. When 1024-bit really 
becomes shaky it should be trivial to recommend users to move away to larger 
key sizes; that would be a simple matter of a rollover to a larger ZSK the next 
time it is rolled.

Those were my 2 cents ;-)

Cheers,

Roland

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijsw...@surfnet.nl

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to