[dns-operations] .PL DNSSEC broken again

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jun 18 20:06:02 UTC 2019

On Tue, Jun 18, 2019 at 11:34:18AM +0200, Philip Homburg wrote:

> On 2019/06/17 21:33 , Viktor Dukhovni wrote:
> > There is not broad agreement that 1024-bit RSA ZSKs are too weak.
> > More important would be more frequent rotation.  IIRC some of the
> > older ZSKs at various TLDs were expected to get rotated ~this summer.
> > We'll soon see whether that happened.
> > 
> > If 1024-bit keys are replaced sufficiently frequently, and given
> > that DNSSEC (unlike TLS) has no forward-secrecy exposure, 1024-bit
> > RSA ZSKs with a 90 or 180 day lifetime don't seem unreasonable.  
> I'm very worried about the line of reasoning.
> First, it is used as a reason to not deploy DANE because a sizable group
> is just not going to trust weak RSA encryption.
> [...] people don't take the DNSSEC community seriously as long as we keep
> using weak key lengths.

Well, I am certainly not *endorsing* 1024-bit RSA.  I am more than
happy to see recent growth in the use of P-256 (13), where in the
case of KSKs, it now outnumbers algorithm RSASHA1-NSEC3-SHA1 (7)
and is closing in on RSASHA256 (8).  Also solid groth for ZSKs, but
still slightly behind (7) in third place.

On the RSA key size front:


RSA KSKs are mostly 2048-bit, but RSA ZSKs are still mostly 1024-bit
with only ~11% using 1280-bit or 2048-bit keys.  This likely boils
down to a combination of cargo-culted defaults, and the fact that
packet size considerations make 2048-bit ZSKs less appealing.

With 2048-bit RSA keys, by the time you emit RRSIGs for an SOA
record and 3 NSEC3 records, you have 8192 bits of signature bits +
640 bits of SHA1 NSEC3 labels or 1104 bytes for just the crypto bits.
With the IPv6 MTU at 1280 bytes, that's quite "tight"...

So the choice of 1024-bit ZSKs is an understandable trade-off.  We
do need to encourage more operators to rotate those keys regularly.


Therefore, for now the practical choices for ZSK keys are:

    * RSA at 1280 bits
    * P256

and once (~5-10 years?) support for Ed25519 (15) is widely implemented,


More information about the dns-operations mailing list