[Opendnssec-user] Default ZSK sizes

Ondřej Surý ondrej at sury.org
Tue Jan 24 16:15:13 UTC 2012


we did a small research on a secure and recommended keysizes
and the result was that <1024 RSA keys are insecure (in fact 512bit
keys can be factorized on common hardware).

We came to conclusion that to be on a safe side the default should be:

ZSK >= 1280 bits
KSK >= 2048 bits

With 1024 bits safe now, but recommended to be rolled to higher number
of bits this year.

These numbers are just for 2012 and maybe updated as time changes.

Since almost anybody will just use default numbers in kasp.xml, I propose
that we bump the default number for ZSK to 1280.

Any opinions?

Ondřej Surý <ondrej at sury.org>

More information about the Opendnssec-user mailing list