Re: [DNSOP] key lengths for DNSSEC

2014-04-04 Thread Tony Finch
Frederico A C Neves wrote: > On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote: > > > > IMO they do until validators record and use a 'root key ratchet': > > never accept a key who's expiration is older than the inception date > > of the RRSIG on the youngest root ZSK seen, or have s

Re: [DNSOP] key lengths for DNSSEC

2014-04-04 Thread Tony Finch
Joe Abley wrote: > I'm trying to understand the time-based attack, but I'm not seeing it. I think a plausible form of this attack involves DNSSEC validation at the edge. (1) DoS your victim, to force them into trouble-shooting mode. Hopefully they will reboot, at which point you can lie to them

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Phillip Hallam-Baker
On Wed, Apr 2, 2014 at 11:19 AM, 🔒 Roy Arends wrote: > On 02 Apr 2014, at 15:19, Jim Reid wrote: > > > There's been a lot of noise and very little signal in the recent > discussion. > > > > It would be helpful if there was real data on this topic. Is an RSA key > of N bits too "weak" or too "str

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Richard Lamb
. I look forward to following further discussions on this topic. -Rick -Original Message- From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Joe Abley Sent: Wednesday, April 02, 2014 7:50 AM To: Ted Lemon Cc: IETF DNSOP WG Subject: Re: [DNSOP] key lengths for DNSSEC On 2 Apr 2014

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Frederico A C Neves
Nicholas, On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote: > ... > And please don't discount the psychology of the issue. If DNSSEC > wants to be taken seriously, it needs to show it. Using short keys > for root and the major TLDs, under the assumptions that it can't be > crack

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Nicholas Weaver
On Apr 2, 2014, at 11:19 AM, 🔒 Roy Arends wrote: > > Just a thought that occured to me. Crypto-maffia folk are looking for a > minimum (i.e. at least so many bits otherwise its insecure). DNS-maffia folk > are looking for a maximum (i.e. at most soo many bits otherwise > fragmentation/fallbac

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Evan Hunt
On Wed, Apr 02, 2014 at 11:33:20AM -0400, Ted Lemon wrote: > Bear in mind that all you _really_ have to do is get a bogus ZSK with the > current time into the resolver, which you may be able to do with some > clever NTP shenanigans over a relatively short timescale. But yeah, > this isn't likely

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Ted Lemon
On Apr 2, 2014, at 10:49 AM, Joe Abley wrote: > This seems like an intractably difficult thing to accomplish. Bear in mind that all you _really_ have to do is get a bogus ZSK with the current time into the resolver, which you may be able to do with some clever NTP shenanigans over a relatively

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Christopher Morrow
On Wed, Apr 2, 2014 at 11:31 AM, Christopher Morrow wrote: > On Wed, Apr 2, 2014 at 11:19 AM, 🔒 Roy Arends wrote: > >> Just a thought that occured to me. Crypto-maffia folk are looking for a >> minimum (i.e. at least so many bits otherwise its insecure). DNS-maffia folk >> are looking for a max

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Christopher Morrow
On Wed, Apr 2, 2014 at 11:19 AM, 🔒 Roy Arends wrote: > Just a thought that occured to me. Crypto-maffia folk are looking for a > minimum (i.e. at least so many bits otherwise its insecure). DNS-maffia folk > are looking for a maximum (i.e. at most soo many bits otherwise > fragmentation/fallba

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Phil Regnauld
Joe Abley (jabley) writes: > > > 1. subverting sufficient NTP responses over a long enough period to cause the > remote resolver's clock to turn back in time (long period suggested due to > many/most? implementations' refuse large steps in times, and hence many > smaller steps might be require

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread 🔒 Roy Arends
On 02 Apr 2014, at 15:19, Jim Reid wrote: > There's been a lot of noise and very little signal in the recent discussion. > > It would be helpful if there was real data on this topic. Is an RSA key of N > bits too "weak" or too "strong"? I don't know. Is N bits "good enough"? > Probably. Change

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Joe Abley
On 2 Apr 2014, at 10:26, Ted Lemon wrote: > The problem with the way you've phrased this question is that there does not > seem to be agreement amongst the parties to this discussion whether old keys > matter. If you think they do, you need longer keys. If you think they > don't, you need

Re: [DNSOP] key lengths for DNSSEC

2014-04-02 Thread Ted Lemon
On Apr 2, 2014, at 10:19 AM, Jim Reid wrote: > My gut feel is large ZSKs are overkill because the signatures should be > short-lived and the keys rotated frequently. Though the trade-offs here are > unclear: is a 512-bit key that changes daily (say) better than a 2048-bit key > that gets rotate

[DNSOP] key lengths for DNSSEC

2014-04-02 Thread Jim Reid
There's been a lot of noise and very little signal in the recent discussion. It would be helpful if there was real data on this topic. Is an RSA key of N bits too "weak" or too "strong"? I don't know. Is N bits "good enough"? Probably. Change the algorithm and/or value of N to taste. My gut fee