[dns-operations] Aging TLD RSA DNSKEYs...
Philip Homburg
philip.homburg at ripe.net
Mon Jan 21 12:17:15 UTC 2019
On 2019/01/20 23:10 , Paul Hoffman wrote:
> Great for whom? This is a serious question. Given that there is no
> indication that RSA-1024 can be broken in a few years without hundreds
> of millions of dollars worth of work (unless TWIRL chips exist, and
> there is no indication that they do), what is the value to the DNS of
> rolling based on your calculations?
(just my private opinion)
There are quite a few people who consider RSA-1024 a joke. Who cares how
many millions of dollars it is. That's not a way to deploy the root of a
trust hierarchy.
Fortunately the actual DNS root zone is fine. But just about every TLD
uses a 1024 bit key.
Getting traction for DNSSEC is already hard enough. No need to throw
weak keys in the mix.
Philip
More information about the dns-operations
mailing list