[dns-operations] Aging TLD RSA DNSKEYs...

Paul Hoffman phoffman at proper.com
Sun Jan 20 22:10:24 UTC 2019

On 20 Jan 2019, at 13:54, Viktor Dukhovni wrote:

> It would be great if the operators of TLDs with 1024-bit ZSKs that
> are unchanged since 2017-10-19 or earlier would consider rolling
> over to new keys

Great for whom? This is a serious question. Given that there is no 
indication that RSA-1024 can be broken in a few years without hundreds 
of millions of dollars worth of work (unless TWIRL chips exist, and 
there is no indication that they do), what is the value to the DNS of 
rolling based on your calculations?

> One might also consider now and then rotating even 1280-bit or
> better RSA keys. :-)

Fully agree, at the time that they roll. Using 2048-bit RSA keys seems 

> It is less clear that keeping 2048-bit keys around for more than a
> year is problematic,

It is completely clear that doing so is not.

--Paul Hoffman

More information about the dns-operations mailing list