On Tuesday, May 22, 2018 at 1:32:51 PM UTC-4, [email protected] wrote: > On Tuesday, May 22, 2018 at 1:04:31 PM UTC-4, Paul Wouters wrote: > > On Tue, 22 May 2018, Ryan Sleevi via dev-security-policy wrote: > > > > > However, what does this buy us? Considering that the ZSKs are > > > intentionally > > > designed to be frequently rotated (24 - 72 hours), thus permitting weaker > > > key sizes (RSA-512), > > > > I don't know anyone who believes or uses these timings or key sizes. It > > might be done as an _attack_ but it would be a very questionable > > deployment. > > > > I know of 12400 512 bit RSA ZSK's in a total of about 6.5 million. And I > > consider those to be an operational mistake. > > These are "legacy" zones where ~3 operators are having some trouble getting > better keys in place, but the swamp is slowly getting drained, a few months > back the total was ~12900, out of a smaller overall total. ZSKs are > predominantly 1024-bit, with a noticeably large minority using 1280 bits. > Latest stats: > > https://lists.dns-oarc.net/pipermail/dns-operations/2018-May/017628.html
As for ZSK lifetime, among still extant domains the average (last seen - first seen) time of no longer published ZSKs is 59 days. This is strongly indicative of a 60-day cycle at the larger DNSSEC-hosting providers. The sample size is "5187051" retired ZSKs. The standard deviation is 34 days. So we can estimate that most ZSKs are rotated in 30-90 days. The sample size is ~5.2 million domains. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
