[dns-operations] .PL DNSSEC broken again
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jun 18 20:06:02 UTC 2019
On Tue, Jun 18, 2019 at 11:34:18AM +0200, Philip Homburg wrote:
> On 2019/06/17 21:33 , Viktor Dukhovni wrote:
>
> > There is not broad agreement that 1024-bit RSA ZSKs are too weak.
> > More important would be more frequent rotation. IIRC some of the
> > older ZSKs at various TLDs were expected to get rotated ~this summer.
> > We'll soon see whether that happened.
> >
> > If 1024-bit keys are replaced sufficiently frequently, and given
> > that DNSSEC (unlike TLS) has no forward-secrecy exposure, 1024-bit
> > RSA ZSKs with a 90 or 180 day lifetime don't seem unreasonable.
>
> I'm very worried about the line of reasoning.
>
> First, it is used as a reason to not deploy DANE because a sizable group
> is just not going to trust weak RSA encryption.
>
> [...] people don't take the DNSSEC community seriously as long as we keep
> using weak key lengths.
Well, I am certainly not *endorsing* 1024-bit RSA. I am more than
happy to see recent growth in the use of P-256 (13), where in the
case of KSKs, it now outnumbers algorithm RSASHA1-NSEC3-SHA1 (7)
and is closing in on RSASHA256 (8). Also solid groth for ZSKs, but
still slightly behind (7) in third place.
On the RSA key size front:
http://stats.dnssec-tools.org/#keysize
RSA KSKs are mostly 2048-bit, but RSA ZSKs are still mostly 1024-bit
with only ~11% using 1280-bit or 2048-bit keys. This likely boils
down to a combination of cargo-culted defaults, and the fact that
packet size considerations make 2048-bit ZSKs less appealing.
With 2048-bit RSA keys, by the time you emit RRSIGs for an SOA
record and 3 NSEC3 records, you have 8192 bits of signature bits +
640 bits of SHA1 NSEC3 labels or 1104 bytes for just the crypto bits.
With the IPv6 MTU at 1280 bytes, that's quite "tight"...
So the choice of 1024-bit ZSKs is an understandable trade-off. We
do need to encourage more operators to rotate those keys regularly.
https://lists.dns-oarc.net/pipermail/dns-operations/2019-January/018328.html
Therefore, for now the practical choices for ZSK keys are:
* RSA at 1280 bits
* P256
and once (~5-10 years?) support for Ed25519 (15) is widely implemented,
Ed25519.
--
Viktor.
More information about the dns-operations
mailing list