[dns-operations] Obsoleting 1024-bit RSA ZSKs (move to 1280 or algorithm 13)

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Oct 20 16:29:16 UTC 2021


[ Similar text posted to mattermost Town-Square channel. ]

I'd like to encourage implementations to change the default RSA key size
for ZSKs from 1024 to 1280 (if sticking with RSA, or the user elects RSA).

Implementation defaults aside, operators should actively migrate away
from 1024-bit RSA ZSKs to either 1280-bit RSA (algorithm 8 or 10, not 5
or 7) or better still to ECDSA P256 (algorithm 13).

With RSA-250 (decimal, 829 bits binary) factored in Feb 2020 using
2700 core-years of CPU:

    https://listserv.nodak.edu/cgi-bin/wa.exe?A2=NMBRTHRY;dc42ccd1.2002

the cost of factoring 1024-bit keys at ~200x more is now conservatively
0.54M core years or less given better optimised algorithms, parallel
attacks on multiple keys, ...

While 0.54M core years is not cheap, it is plausibly within reach and
attacks only get better.

The cost of attacking 1280-bit RSA with GNFS is ~90k times the cost of
the 829-bit RSA-250 challenge, or ~24M core years.

While the safety margin is still tight, moving to 1280-bit RSA is a
substantially worthwhile improvement, and with reasonable key rotation
(say every 90 days), attacks using publicly known techniques appear
likely out of reach (spin ~100M cores for 90 days in the hope of
cracking one key just before it is replaced).

-- 
    Viktor.


More information about the dns-operations mailing list