[dns-operations] Aging TLD RSA DNSKEYs...

Philip Homburg philip.homburg at ripe.net
Mon Jan 21 12:17:15 UTC 2019

On 2019/01/20 23:10 , Paul Hoffman wrote:
> Great for whom? This is a serious question. Given that there is no
> indication that RSA-1024 can be broken in a few years without hundreds
> of millions of dollars worth of work (unless TWIRL chips exist, and
> there is no indication that they do), what is the value to the DNS of
> rolling based on your calculations?

(just my private opinion)

There are quite a few people who consider RSA-1024 a joke. Who cares how
many millions of dollars it is. That's not a way to deploy the root of a
trust hierarchy.

Fortunately the actual DNS root zone is fine. But just about every TLD
uses a 1024 bit key.

Getting traction for DNSSEC is already hard enough. No need to throw
weak keys in the mix.


More information about the dns-operations mailing list