Hi, As others stated: the short lifetime of a ZSK makes it reasonable to work with 1024 bit; the impact that key sizes have on efficiency of DNSSEC is big enought to not want to be paranoid; this is why there is the difference between ZSK and KSK in the first place. Rather than looking at conservative estimates such as Lenstra and Verheul's work, I would prefer to look at the status quo. Most algorithms erode gradually, and RSA has thus far been one of those. As long as no harsh and sudden things happen to RSA, something against which key size is not going to help either, we can pretty much rely on 1024 bit for a while to come. Also keep in mind that rolling a ZSK isn't going to be that difficult, and resolvers are operated by knowledgeable staff who can easily stop accepting any suddenly-unsafe key sizes.
As for the KSK, I would argue that 2048 is overzealous; the KSK might live for (say) 5 years but that's still only 60 times the shortest ZSK lifetime; it is a bit odd to be protecting the KSK more than the ZSK by extending the brute force cracking effort by a factor as high as SQRT(2^2048)/SQRT(2^1024) = 2^512; I would rather propose to lower KSK default settings to 1280 or 1136! Once again, the infrastructure exists to update a KSK if need be, and a knowledgeable resolver operator could stop accepting keys if RSA is broken tomorrow. Miek, I do not agree that DNS is unattractive to crack; if I had a grudge against a large industrial firm I could try to redirect their traffic to me, and announce being near bankrupcy on their website (which would cause panic and could thereby end up being a self-fulfilling prophecy). Still, cracking a key still does not do it all -- it still takes the average of 3-6 months to mount a Kaminsky attack. Cheers, -Rick _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
