On Tuesday, May 22, 2018 at 1:04:31 PM UTC-4, Paul Wouters wrote: > On Tue, 22 May 2018, Ryan Sleevi via dev-security-policy wrote: > > > However, what does this buy us? Considering that the ZSKs are intentionally > > designed to be frequently rotated (24 - 72 hours), thus permitting weaker > > key sizes (RSA-512), > > I don't know anyone who believes or uses these timings or key sizes. It > might be done as an _attack_ but it would be a very questionable > deployment. > > I know of 12400 512 bit RSA ZSK's in a total of about 6.5 million. And I > consider those to be an operational mistake.
These are "legacy" zones where ~3 operators are having some trouble getting better keys in place, but the swamp is slowly getting drained, a few months back the total was ~12900, out of a smaller overall total. ZSKs are predominantly 1024-bit, with a noticeably large minority using 1280 bits. Latest stats: https://lists.dns-oarc.net/pipermail/dns-operations/2018-May/017628.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy