[Opendnssec-user] Default ZSK sizes

Ondrej Mikle ondrej.mikle at nic.cz
Tue Jan 24 18:04:05 UTC 2012


Roland van Rijswijk wrote:

>> we did a small research on a secure and recommended keysizes
>> and the result was that <1024 RSA keys are insecure (in
> fact 512bit > keys can be factorized on common hardware).
>> > We came to conclusion that to be on a safe
> side the default should be: > > ZSK >= 1280
> bits > KSK >= 2048 bits > > With 1024
> bits safe now, but recommended to be rolled to higher number
>> of bits this year. > > These numbers
> are just for 2012 and maybe updated as time changes. 
>
> I'm missing some context information here; what made you conclude that
> 1024 bits would no longer be safe after 2012? 

Some additional context:

We also know that certain registrars share KSK and ZSK for thousands of
domains, signing RRs on behalf of the users (it's a feature for users
that do not want to deal with signign directly). That makes such keys
much more valuable (also, using keys in this way is generally not a good
idea, but we have to deal with that later).

We based the keysizes mostly on the ECRYPT II 2011 report:
http://www.ecrypt.eu.org/documents/D.SPA.17.pdf

(There is also very, very distilled table on suggested key sizes here:
http://www.keylength.com/en/3/)

> Doesn't that also depend
> on the key rollover frequency used? I would argue that for the
> commonly used ZSK rollover frequencies (i.e. 1-3 months) 1024 bit
> still suffices. And using a 1024 bit key has distinct benefits since
> it reduces the on-the-wire size of signatures as well as the
> on-the-wire size of the DNSKEY set.

Yes, rollover frequency is a factor, but I agree with Eric Rescorla that
key rollover may not add as much security compared to increasing key size:
http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html

> It is - of course - a different situation for the KSK. I would assume
> that to be much longer lived in which case 2048 bit is a pretty safe
> bet for the foreseeable future (unless quantum computing becomes a
> reality this year ;-) ). Again, my opinion is that anything larger
> does not make sense (so I object somewhat to the
> greather-than-or-equals sign in your message above)

Agreed. A better formulation might be: "minimal KSK RSA modulus size:
2048 bits, recommended size: 2048 bits" (which basically means the same
as the greater-than-or-equal-sign :-))

> The last time I checked, the state-of-the-art was that 768-bit is no
> longer considered secure (see also http://arstechnica.com/security/news/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now.ars) 
> against brute force attacks but that 1024-bit should be fine for some
> years to come.

While there is no official record of factoring 1024-bit key, the ECRYPT
report mentions claim that 1024-bit key could have been factorized in a
worst case scenario (pdf page 37). On following page, RFC 3766 and 4359
are mentioned - RFC 4359 gave 1 year max lifetime to 1024-bit modulus
(written in 2006). Chapter 7 sums up minimum key sizes that give
protection only for a few months against various attackers (threat model
is important when choosing things like key sizes).


Ondrej Mikle



More information about the Opendnssec-user mailing list