On 24 Apr 2009, at 16:03, Paul Wouters wrote:
I don't see a cryptographic reason for Paul Hoffman's "I'd like the
keys to
be of equal size". Unless you'd argue that the KSK could easilly
also be
1024bit, and that the additional 11 months of validity of the KSK is
negligable compared to the time now upto 3 years from now, to break
a 1024
bit RSA key.
What benefit is there of keeping the KSK small (e.g. 1024 bits)
instead of just choosing the maximum that your signing software
permits (e.g. 4096 bits, I think, with dnssec-signzone)?
EDNS0 is a prerequisite for DNSSEC, if memory serves, so it's
presumably not TCP fallback we're worried about with larger DNSKEY
RDATA. A 4096 bit key only represents 384 more bytes of RDATA in a
DNSKEY resource record on the wire than a 1024 bit key, and 384 bytes
doesn't sound (naively, no science) like it's going to break the bank.
Is the root concern the computational expense of dealing with larger
keys in a validator? Or something else? Whatever the root concern is,
what are the boundaries?
It seems fruitless to debate whether 1024 bits is sufficient if
there's no real cost to just choosing (say) 4096 bits and avoiding the
discussion.
Joe
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
