[Opendnssec-user] Default ZSK sizes
ondrej.mikle at nic.cz
Wed Jan 25 11:27:22 UTC 2012
On 01/25/2012 12:44 AM, Rick van Rein wrote:
> Miek, I do not agree that DNS is unattractive to crack;
> if I had a grudge against a large industrial firm I could
> try to redirect their traffic to me, and announce being
> near bankrupcy on their website (which would cause panic
> and could thereby end up being a self-fulfilling prophecy).
The attractiveness of cracking DNS keys will be even higher with DANE
protocol on the way
If an attacker could factor RSA ZSK, he can use that key to circumvent a
stronger key in X.509 certificate and eavesdrop on TLS connection by
forging TLSA record (and TLS clients like browsers will accept it). At
which point a state-level attacker must be taken into account.
More information about the Opendnssec-user