[dns-operations] .NL and 1024-bit RSA ZSKs.

Stefan Ubbink Stefan.Ubbink at sidn.nl
Mon Oct 11 05:25:56 UTC 2021

On Fri, 8 Oct 2021 13:51:34 -0400
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:

> > On 8 Oct 2021, at 1:12 pm, Puneet Sood via dns-operations
> > <dns-operations at dns-oarc.net> wrote:
> > 
> > This is another case where NSEC3 opt-out interferes with effective
> > NSEC{3} response caching which would reduce queries to the TLD. 

We want to remove the opt-out from the .nl zone and I hope we can do
this in 2022.
> Speaking of the .NL zone DNSSEC parameters, the ZSK is 1024-bit RSA,
> and .NL is the largest zone (by signed delegation count) with RSA
> keys less than 1280 bits.
> The .COM TLD uses 1280-bit RSA ZSKs, while .BR, .CZ, .CH, .FR and .DK
> all use ECDSA P256.
> The next batch of TLDs with 1024-bit RSA ZSKs are .EU, .NO, .BE and
> .ORG.
> While we don't have compelling evidence that 1024-bit RSA DNSKEYs,
> rotated sufficiently often are at a realistic risk of brute-force
> cryptanalytic attacks, the broader cryptographic community has
> left 1024-bit RSA behind, and we now have better options:
>   * 1280-bit RSA is practical and improves the safety margin
>   * P256 has been successfully adopted by 45 TLDs and has
>     near universal resolver support, on par with RSA.
> So I'd like to suggest that .NL consider either a stronger ZSK,
> or an algorithm rollover.

We have an algorithm rollover to Elliptic Curve in our backlog and I
hope we will be able to do this in 20222.

> Not all is stuck in the past, over the last ~1 year, the use of
> algorithm 7 has dropped from a peak of ~2.2 million zones to
> just ~350k zones and lately continuing to fall ~10k/day.

We are currently in the process of an algorithm rollover for our second
level domains.

Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211011/73e59948/attachment.sig>

More information about the dns-operations mailing list