[Opendnssec-user] Default ZSK sizes

Rick van Rein rick at openfortress.nl
Tue Jan 24 23:44:25 UTC 2012


As others stated: the short lifetime of a ZSK makes it
reasonable to work with 1024 bit; the impact that key
sizes have on efficiency of DNSSEC is big enought to not
want to be paranoid; this is why there is the difference
between ZSK and KSK in the first place.  Rather than
looking at conservative estimates such as Lenstra and
Verheul's work, I would prefer to look at the status
quo.  Most algorithms erode gradually, and RSA has thus
far been one of those.  As long as no harsh and sudden
things happen to RSA, something against which key size
is not going to help either, we can pretty much rely on
1024 bit for a while to come.  Also keep in mind that
rolling a ZSK isn't going to be that difficult, and
resolvers are operated by knowledgeable staff who can
easily stop accepting any suddenly-unsafe key sizes.

As for the KSK, I would argue that 2048 is overzealous;
the KSK might live for (say) 5 years but that's still
only 60 times the shortest ZSK lifetime; it is a bit odd
to be protecting the KSK more than the ZSK by extending
the brute force cracking effort by a factor as high as
SQRT(2^2048)/SQRT(2^1024) = 2^512; I would rather propose
to lower KSK default settings to 1280 or 1136!  Once again,
the infrastructure exists to update a KSK if need be, and
a knowledgeable resolver operator could stop accepting
keys if RSA is broken tomorrow.

Miek, I do not agree that DNS is unattractive to crack;
if I had a grudge against a large industrial firm I could
try to redirect their traffic to me, and announce being
near bankrupcy on their website (which would cause panic
and could thereby end up being a self-fulfilling prophecy).

Still, cracking a key still does not do it all -- it still
takes the average of 3-6 months to mount a Kaminsky attack.


More information about the Opendnssec-user mailing list