[dns-operations] EdDSA status ?

[Viktor Dukhovni]

> On Jun 4, 2018, at 9:13 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:
> 
> I am sure there are people who are sticking with RSA, hopefully
> increasing the modulus size from time to time

Or just relying on "sufficiently" frequent ZSK rotation.  Latest
ZSK RSA key size numbers, don't show much movement towards larger
keys yet, though the 1280-bit domains are somewhat encouraging...

 zskdomains | bits 
------------+------
      12871 | 4096
      88567 | 2048
     294899 | 1280
    5529635 | 1024
      15022 |  512

The average duration of RSA ZSK's 60 days, with a standard deviation of 30.

The key rotation histogram by floor of age in 10 day multiples shows a
bimodal distribution with peaks at around 30 and 90 days.  This dataset
starts in Oct/2017, so I don't yet have much data on laggards who rotate
annually, but if we guess that 5k/10-days seen post 90 days are
annual rotations, we can estimate ~180k domains rotate once a year,
making this perhaps trimodal.


#days   #zones
-----   ------
    0 |  96671
   10 | 104009
   20 | 121880
   30 | 250079
   40 |  98490
   50 |  40548
   60 |  33018
   70 | 594429
   80 | 719680
   90 | 124588
  100 |   5799
  110 |   5199
  120 |   5566
  130 |   1503
  140 |   1046
  150 |    127
  160 |    426
  170 |    622
  180 |    485
  190 |     31

Of 7,042,570 extant RSA ZSKs, 3,058,239 are 180 days or older.
Among RSA ZKS of this age, the key size distribution by zone
count is:

 zskdomains | bits 
------------+------
       5445 | 4096
      33523 | 2048
     175813 | 1280
    2333483 | 1024
       6767 |  512

So around half (not all the domains in the survey were known
180 days ago) of the RSA-1024 ZSKs are still listed in the
DNSKEY RRset after 180 days.

-- 
	Viktor.