On Mon, Jun 08, 2026 at 09:33:49AM +0200, Simon Josefsson wrote:
> The above argument is often repeated, but I think there are naunces that
> get lost when phrased like that. Security is rarely binary either or,
> but more of a spectrum. All ECDSA keys in the world won't automatically
> be revealed on the first day a CRQC is demonstrated. People still run
> RSA 1024 deployments (e.g., DNSSEC)
In DNSSEC, ECDSA P-256 exceeds the deployment of RSA, and with RSA
domains, the KSKs are most commonly 2048 bits, with RSA-1024 KSKs on
only ~0.2% of signed domains. Yes, migration to PQC will take time.
Today's numbers:
- Algorithm frequencies:
https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
KSK Alg Domain count
13 (ECDSA P-256) | 14891802
8 (RSA SHA2-256) | 10202696
15 (Ed25519) | 576447
10 (RSA SHA2-512) | 179838
14 (ECDSA P-384) | 166224
7 (RSA SHA1 NSEC3) | 73316
5 (RSA SHA1) | 11194
- RSA KSK bit count frequencies:
https://stats.dnssec-tools.org/#/?dnssec_param_tab=2
Bits Domain Count
2048 | 10008497
4096 | 405294
1024 | 24925
1280 | 17001
1536 | 5251
3072 | 2138
512 | 388
2024 | 148
2560 | 139
For ZSKs (that are much easier to rotate, if the operator bothers)
RSA-1024 is dominant at ~90%.
- RSA ZSK bit count frequencies:
https://stats.dnssec-tools.org/#/?dnssec_param_tab=3
Bits Domain Count
1024 | 9039068
2048 | 1066378
4096 | 72116
1280 | 8079
3072 | 2753
512 | 433
1032 | 277
1536 | 271
2304 | 137
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
