[Opendnssec-develop] DSA key length in DNSKEY records
olaf at NLnetLabs.nl
Wed Mar 17 12:03:21 UTC 2010
On Mar 17, 2010, at 12:34 PM, Alexd at nominet.org.uk wrote:
> My current best guess is that the DSA key length can be derived as (64 + 8*T) octets. However, I still don't think I've found anything which specifically confirms this (i.e. RFC 2536 doesn't actually confirm that the length of P is actually the key length - I think).
Decide on a key length L and N. This is the primary measure of the cryptographic strength of the key. The original DSS constrained L to be a multiple of 64 between 512 and 1024 (inclusive). NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030), using correspondingly longer N. FIPS 186-3specifies L and N length pairs of (1024,160), (2048,224), (2048,256), and (3072,256).
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Opendnssec-develop