[dns-operations] Aging TLD RSA DNSKEYs...
Paul Hoffman
phoffman at proper.com
Sun Jan 20 22:10:24 UTC 2019
On 20 Jan 2019, at 13:54, Viktor Dukhovni wrote:
> It would be great if the operators of TLDs with 1024-bit ZSKs that
> are unchanged since 2017-10-19 or earlier would consider rolling
> over to new keys
Great for whom? This is a serious question. Given that there is no
indication that RSA-1024 can be broken in a few years without hundreds
of millions of dollars worth of work (unless TWIRL chips exist, and
there is no indication that they do), what is the value to the DNS of
rolling based on your calculations?
> One might also consider now and then rotating even 1280-bit or
> better RSA keys. :-)
Fully agree, at the time that they roll. Using 2048-bit RSA keys seems
fine.
> It is less clear that keeping 2048-bit keys around for more than a
> year is problematic,
It is completely clear that doing so is not.
--Paul Hoffman
More information about the dns-operations
mailing list