FYI, Cheers, Peter.
DNSSEC Key Strength: http://www.surfnet.nl/Documents/DNSSSEC-web.pdf page 30.
DNSSEC is based on public key cryptography. RFC 4034 (see [10]) specifies that the following cryptographic algorithms may be used: • DSA/SHA-1 • RSA/SHA-1 For two reasons it is recommended only to use the RSA/SHA-1 algorithm: • Security: DSA keys are constrained to a maximum key length of 1024 bits; this may impact the security of DSA keys • Performance: Signature validation of DSA signatures is an order of magnitude slower than signature validation of RSA signatures. This mainly has an impact on validating resolvers. In the future elliptic curve cryptography is also going to be supported for DNSSEC. Currently, however, its use has not been standardised yet.
