[Opendnssec-user] Default ZSK sizes

Roland van Rijswijk Roland.vanRijswijk at surfnet.nl
Tue Jan 24 16:39:05 UTC 2012

Hi Ondřej,

On 24 jan 2012, at 17:15, Ondřej Surý wrote:

> we did a small research on a secure and recommended keysizes
> and the result was that <1024 RSA keys are insecure (in fact 512bit
> keys can be factorized on common hardware).
> We came to conclusion that to be on a safe side the default should be:
> ZSK >= 1280 bits
> KSK >= 2048 bits
> With 1024 bits safe now, but recommended to be rolled to higher number
> of bits this year.
> These numbers are just for 2012 and maybe updated as time changes.
> Since almost anybody will just use default numbers in kasp.xml, I propose
> that we bump the default number for ZSK to 1280.
> Any opinions?

I'm missing some context information here; what made you conclude that 1024 bits would no longer be safe after 2012? Doesn't that also depend on the key rollover frequency used? I would argue that for the commonly used ZSK rollover frequencies (i.e. 1-3 months) 1024 bit still suffices. And using a 1024 bit key has distinct benefits since it reduces the on-the-wire size of signatures as well as the on-the-wire size of the DNSKEY set.

It is - of course - a different situation for the KSK. I would assume that to be much longer lived in which case 2048 bit is a pretty safe bet for the foreseeable future (unless quantum computing becomes a reality this year ;-) ). Again, my opinion is that anything larger does not make sense (so I object somewhat to the greather-than-or-equals sign in your message above) since that impacts the on-the-wire size of DNS responses.

The last time I checked, the state-of-the-art was that 768-bit is no longer considered secure (see also http://arstechnica.com/security/news/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now.ars) against brute force attacks but that 1024-bit should be fine for some years to come.

If no new information has become available about optimisations in factoring RSA moduli I see no reason to increase the recommended ZSK size under the assumption that the ZSK lifetime is 3 months or less. When 1024-bit really becomes shaky it should be trivial to recommend users to move away to larger key sizes; that would be a simple matter of a rollover to a larger ZSK the next time it is rolled.

Those were my 2 cents ;-)



-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-user mailing list