[dns-operations] Aging TLD RSA DNSKEYs...

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Jan 20 23:48:53 UTC 2019

> On Jan 20, 2019, at 5:10 PM, Paul Hoffman <phoffman at proper.com> wrote:
>> It would be great if the operators of TLDs with 1024-bit ZSKs that
>> are unchanged since 2017-10-19 or earlier would consider rolling
>> over to new keys
> Great for whom? This is a serious question. Given that there is no indication that RSA-1024 can be broken in a few years without hundreds of millions of dollars worth of work (unless TWIRL chips exist, and there is no indication that they do), what is the value to the DNS of rolling based on your calculations?

A fair question.  The pros are:

  * The DNSSEC haters would not have the opportunity to sneer
    all those long-lived 1024-bit keys.  The WebPKI has stopped
    using RSA-1024, and NIST's key size guidelines had RSA-1024
    only good through 2010 or so (IIRC).

  * Even when keys are not brute forced, there is some risk of
    keys getting disclosed by various means, sometimes unbeknownst
    to the legitimate key holder.  So rotating keys periodically
    is a sound practice.

  * We don't know whether any of the TLAs can break 1024-bit RSA,
    but the risk is taken seriously by at least some maintstream
    cryptographers, so it seems prudent to move to stronger keys.

  * Finally, if you never roll your keys routinely, you probably
    don't know how to do it in an emergency.  Best to keep the
    gears well oiled.

On the down side, there's some operational risk of poor execution,
but if one gets into the habit of rolling the keys regularly, and
the process is well thought it, the risk should be very low.

I am curious what others think...


More information about the dns-operations mailing list