[Opendnssec-user] Default ZSK sizes

Paul Wouters paul at nohats.ca
Thu Jan 26 02:11:19 UTC 2012


On Wed, 25 Jan 2012, Ondřej Surý wrote:

> Why sad? I think it's useful to discuss this once in a while.  Also because
> it looks like (for outsider) that cryptographers are like lawyers.  You ask
> 5 lawyers about something and you get 7 different opinions :).

The ones I talk to start laughing once I mention we don't need long
protection times in the future (eg not encrypting for 20 years). RSA
1024 is more then enough, especially if you can roll in a day. They
thought 2048 was extreme overkill. So I guess its a good margin.

They also all suggest to use ECC to bring signature sizes down, once
I explain we care about packet sizes, proving also that cryptographers
are in fact, not lawyers :)

Paul



More information about the Opendnssec-user mailing list