[Opendnssec-user] Default ZSK sizes

Jakob Schlyter jakob at kirei.se
Tue Jan 24 22:36:55 UTC 2012

On 24 jan 2012, at 17:15, Ondřej Surý wrote:

> Any opinions?

I very much disagree. There is no reason to stop recommending 1024-bits RSA keys. I did ask Paul Hoffman, and got the following reply:

"A 1024 bit keys whose value is under US$100M is secure for many years in the future; see RFC 3766. No one has even publicly broken an 800-bit key (other than one "special" 1024 bit key that was really 768 bits of strength), ever. The leap from 800 to 1024 is huge unless there is a significant new cryptographic technique discovered. If such a technique is found, it might apply to 1280 bit keys as well: there is no way to tell because it hasn't been discovered."

Paul continues with:

"In specific, RFC 3766 (of which I am co-author) refers to an adversary that is willing to spend US$1trillion (yes, "trillion" not "billion"). We did that on purpose. No DNSSEC key is worth that much, so no adversary would spend that much to break it. RFC 4359 refers to guesses made in the original TWIRL specification, and those guesses have never been tested in public. TWIRL might still become real, but if it does, there is no way to predict if TWIRL-next will also work on 2048-bit keys. If someone is willing to spend tens of millions of dollars to develop TWIRL, they'll spend an equal amount improving it past 1024 bit keys; we don't know how far it would go.

If you are relying on guesses about massive improvements in integer factorization in RSA (which are believable even if they are unpredictable), you are much safer going with ECDSA keys than trying to guess the limits of the key size that will be *not* be affected by the unpredictable improvement."

'nuff said.


More information about the Opendnssec-user mailing list