[Opendnssec-user] Default ZSK sizes

Ondrej Mikle ondrej.mikle at nic.cz
Wed Jan 25 11:27:22 UTC 2012


On 01/25/2012 12:44 AM, Rick van Rein wrote:
> 
> Miek, I do not agree that DNS is unattractive to crack;
> if I had a grudge against a large industrial firm I could
> try to redirect their traffic to me, and announce being
> near bankrupcy on their website (which would cause panic
> and could thereby end up being a self-fulfilling prophecy).

The attractiveness of cracking DNS keys will be even higher with DANE
protocol on the way
(https://tools.ietf.org/html/draft-ietf-dane-protocol-14).

If an attacker could factor RSA ZSK, he can use that key to circumvent a
stronger key in X.509 certificate and eavesdrop on TLS connection by
forging TLSA record (and TLS clients like browsers will accept it). At
which point a state-level attacker must be taken into account.

Ondrej Mikle



More information about the Opendnssec-user mailing list