[Opendnssec-develop] DSA key length in DNSKEY records

Olaf Kolkman olaf at NLnetLabs.nl
Wed Mar 17 12:03:21 UTC 2010

On Mar 17, 2010, at 12:34 PM, Alexd at nominet.org.uk wrote:

> My current best guess is that the DSA key length can be derived as (64 + 8*T) octets. However, I still don't think I've found anything which specifically confirms this (i.e. RFC 2536 doesn't actually confirm that the length of P is actually the key length - I think). 


Decide on a key length L and N. This is the primary measure of the cryptographic strength of the key. The original DSS constrained L to be a multiple of 64 between 512 and 1024 (inclusive). NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030), using correspondingly longer N. FIPS 186-3specifies L and N length pairs of (1024,160), (2048,224), (2048,256), and (3072,256).


Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

More information about the Opendnssec-develop mailing list