[dns-operations] Aging 1024-bit ZSKs at TLDs...
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Nov 19 20:10:07 UTC 2018
[ TL;DR: More TLDs could perhaps do a better job of timely rotation
of 1024-bit RSA ZSKs, and prompt removal of inactive keys. Given
successful migrations to ECDSA P-256 at .CZ and .BR, another option
may be to migrate away from RSA. Many of the gTLDs listed below
are little-used "brand-name" TLDs, so perhaps security is not a
real concern. ]
DNSSEC gets a mostly undeserved bad name in some circles, for still
using 1024-bit RSA keys, while the X.509 WebPKI has largely upgraded
to 2048-bit RSA. While almost all TLDs with just 6 exceptions:
TLD | flags | alg | bits
----- +-------+-----+-----
kg | 257 | 5 | 1024
bom | 257 | 8 | 1280
final | 257 | 8 | 1280
globo | 257 | 8 | 1280
rio | 257 | 8 | 1280
uol | 257 | 8 | 1280
have 2048-bit KSKs, and I would not expect successful brute-force
attacks on 1280-bit RSA keys even by well-funded adversaries, the
ZSK picture is a less rosy. In principle, 1024-bit ZSKs can be
reasonably safe if rotated sufficiently often, since brute-forcing
1024-bit RSA, even if possible, is likely neither quick nor cheap.
But once the same 1024-bit key is in place for a long time (a year
or more, or even indefinitely), then it is perhaps a realistic
target for well-funded brute-force attacks.
To that end, I've compiled a list of 210 TLDs at least one of whose
1024-bit RSA ZSKs has been in place (perhaps already inactive, but
still included in the DNSKEY RRset) for more than a year. I
spot-checked a few, which shows that at least some are presently
in the process of rolling over to new ZSKs, but many are not, or
keep inactive ZSKs around for a long time. Below the ZSK "age" is
in days since first observed and stored in the DANE survey database:
[ I only started storing DNSKEYs 395 days ago, so "395" is just a
lower bound, the keys in question could be significantly older ]
ccTLD alg bits age comments
----- --- ---- --- --------
ie 8 1024 389 -- New ZSK 21-days old, not active yet
-- Currently active ZSK is 204 days old
-- Inactive ZSK is 389 days old
ca 8 1024 395 -- New ZSK, ~2 days old, not active yet
za 8 1024 395 -- Active ZSK 162 days old, and 4 inactive ZSKs
my 8 1024 395 -- Active ZSK 137 days old, 2 inactive ZSKs.
pr 5 1024 395 -- Active ZSK 338 days old, 1 inactive ZSK
fi 8 1024 395 -- No new keys yet
gr 7 1024 395 -- No new keys yet
io 8 1024 395 -- No new keys yet
sh 8 1024 395 -- No new keys yet
uk 8 1024 395 -- No new keys yet
ac 8 1024 395
ax 8 1024 395
az 8 1024 395
bg 5 1024 395
bw 8 1024 395
by 7 1024 395
ee 8 1024 395
fo 8 1024 395
hr 8 1024 395
kg 5 1024 395
lk 5 1024 395
mm 8 1024 395
na 5 1024 395
sx 7 1024 395
vu 10 1024 395
ws 8 1024 395
gTLD alg bits age comments
---- --- ---- --- --------
nyc 8 1024 395 -- Active ZSK 1280 bits, ~2 years old.
-- Two 1024-bit inactive ZSKs,
-- The newest inactive ZSK is ~2 years old,
-- the oldest inactive ZSK is ~4 years old.
aaa 8 1024 395 -- No new keys yet
able 8 1024 395 -- No new keys yet
aws 8 1024 395 -- No new keys yet
moe 8 1024 395 -- No new keys yet
secure 8 1024 395 -- No new keys yet
tel 8 1024 395 -- No new keys yet
accountant 8 1024 395
americanexpress 8 1024 395
amex 8 1024 395
analytics 8 1024 395
athleta 8 1024 395
audible 8 1024 395
author 8 1024 395
baby 8 1024 395
banamex 8 1024 395
bananarepublic 8 1024 395
baseball 8 1024 395
best 8 1024 395
bible 8 1024 395
bid 8 1024 395
book 8 1024 395
booking 8 1024 395
bot 8 1024 395
buzz 8 1024 395
call 8 1024 395
capetown 8 1024 395
cartier 8 1024 395
cbn 8 1024 395
ceo 8 1024 395
chase 8 1024 395
chintai 8 1024 395
circle 8 1024 395
cisco 8 1024 395
citadel 8 1024 395
citi 8 1024 395
coupon 8 1024 395
cricket 8 1024 395
date 8 1024 395
deal 8 1024 395
dealer 8 1024 395
dell 8 1024 395
deloitte 7 1024 395
discover 8 1024 395
download 8 1024 395
duns 8 1024 395
dupont 8 1024 395
durban 8 1024 395
earth 8 1024 395
faith 8 1024 395
farmers 8 1024 395
fast 8 1024 395
ferrero 8 1024 395
fire 8 1024 395
flickr 8 1024 395
ford 8 1024 395
fox 8 1024 395
free 8 1024 395
frl 7 1024 395
ftr 8 1024 395
gap 8 1024 395
gent 7 1024 395
got 8 1024 395
grainger 8 1024 395
gucci 8 1024 395
health 8 1024 395
homegoods 8 1024 395
homesense 8 1024 395
honeywell 8 1024 395
hot 8 1024 395
hotels 8 1024 395
hsbc 8 1024 395
hyatt 8 1024 395
ieee 8 1024 395
imdb 8 1024 395
intel 8 1024 395
intuit 8 1024 395
jmp 8 1024 395
jnj 8 1024 395
joburg 8 1024 395
jot 8 1024 395
joy 8 1024 395
jpmorgan 8 1024 395
kinder 8 1024 395
kindle 8 1024 395
kiwi 8 1024 395
kpmg 8 1024 395
kpn 7 1024 395
kred 8 1024 395
like 8 1024 395
lilly 8 1024 395
lincoln 8 1024 395
loan 8 1024 395
marshalls 8 1024 395
mint 8 1024 395
mlb 8 1024 395
moi 8 1024 395
mtr 8 1024 395
mutual 8 1024 395
nfl 8 1024 395
now 8 1024 395
office 8 1024 395
oldnavy 8 1024 395
open 8 1024 395
osaka 8 1024 395
party 8 1024 395
pay 8 1024 395
pharmacy 8 1024 395
piaget 8 1024 395
pin 8 1024 395
ping 8 1024 395
praxi 8 1024 395
prime 8 1024 395
qpon 8 1024 395
qvc 8 1024 395
racing 8 1024 395
read 8 1024 395
review 8 1024 395
rocher 8 1024 395
room 8 1024 395
safe 8 1024 395
safety 8 1024 395
samsung 7 1024 395
sas 8 1024 395
save 8 1024 395
science 8 1024 395
sfr 7 1024 395
silk 8 1024 395
skype 8 1024 395
smile 8 1024 395
song 8 1024 395
spot 8 1024 395
statefarm 8 1024 395
stream 8 1024 395
swiftcover 8 1024 395
taipei 8 1024 395
talk 8 1024 395
tdk 8 1024 395
teva 8 1024 395
tjmaxx 8 1024 395
tjx 8 1024 395
tkmaxx 8 1024 395
trade 8 1024 395
tube 8 1024 395
tunes 8 1024 395
tushu 8 1024 395
uno 8 1024 395
vivo 8 1024 395
vuelos 8 1024 395
wanggou 8 1024 395
watches 8 1024 395
weather 8 1024 395
weatherchannel 8 1024 395
webcam 8 1024 395
whoswho 8 1024 395
wien 8 1024 395
win 8 1024 395
winners 8 1024 395
wow 8 1024 395
xn--1ck2e1b 8 1024 395
xn--1qqw23a 8 1024 395
xn--55qx5d 8 1024 395
xn--bck1b9a5dre4c 8 1024 395
xn--cck2b3b 8 1024 395
xn--cg4bki 7 1024 395
xn--eckvdtc9d 8 1024 395
xn--fct429k 8 1024 395
xn--g2xx48c 8 1024 395
xn--gckr3f0f 8 1024 395
xn--gk3at1e 8 1024 395
xn--io0a7i 8 1024 395
xn--jvr189m 8 1024 395
xn--kpu716f 8 1024 395
xn--l1acc 5 1024 395
xn--pbt977c 8 1024 395
xn--rovu88b 8 1024 395
xn--wgbh1c 8 1024 395
yahoo 8 1024 395
yamaxun 8 1024 395
yandex 8 1024 395
you 8 1024 395
zappos 8 1024 395
zero 8 1024 395
zippo 8 1024 395
--
Viktor.
More information about the dns-operations
mailing list