Paul, Paul Wouters wrote: > On Wed, 22 Apr 2009, Shane Kerr wrote: > >> I don't think this is a waste, really. I think if we recommend 1024 as >> the text does, then we'll have to revisit it in 3 or 4 years. > > Is this for ZSK or KSK? Because if you pick equal sizes, then both would be > equally vulnerable to the same brute force attack, and often cycling a > ZSK of > equal size to the KSK key does not make much sense - the attackers would > just ignore the ZSK and go for the KSK instead. So using a 2048 ZSK sort > of implies using a larger KSK. Unless you keep the ZSK for 6 months or so.
Good point. I was only ever considering KSK key length. I kind of assume everyone will use automated ZSK rolling, and that ZSK will get rolled fairly frequently, so shorter keys make sense. -- Shane _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
