[Opendnssec-user] Default ZSK sizes

Ondrej Mikle ondrej.mikle at nic.cz
Wed Jan 25 11:27:22 UTC 2012

On 01/25/2012 12:44 AM, Rick van Rein wrote:
> Miek, I do not agree that DNS is unattractive to crack;
> if I had a grudge against a large industrial firm I could
> try to redirect their traffic to me, and announce being
> near bankrupcy on their website (which would cause panic
> and could thereby end up being a self-fulfilling prophecy).

The attractiveness of cracking DNS keys will be even higher with DANE
protocol on the way

If an attacker could factor RSA ZSK, he can use that key to circumvent a
stronger key in X.509 certificate and eavesdrop on TLS connection by
forging TLSA record (and TLS clients like browsers will accept it). At
which point a state-level attacker must be taken into account.

Ondrej Mikle

More information about the Opendnssec-user mailing list