[dns-operations] Obsoleting 1024-bit RSA ZSKs (move to 1280 or algorithm 13)

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Oct 22 18:25:07 UTC 2021

> On 22 Oct 2021, at 12:10 pm, Matt Nordhoff <mnordhoff at gmail.com <mailto:mnordhoff at gmail.com>> wrote:
> There are challenges to upgrading to larger keys, or rolling
> algorithms, but how insurmountable are they?
> There are at least 139 TLDs using 2048-bit or larger DNSSEC keys
> *right now* -- and that's excluding about two dozen that are in the
> middle of migrating to a different registry and downgrading to
> 1280-bit ZSKs.

The linked PNG is of a table from the RSA ZSK slide of my
upcoming presentation at ICANN72 CCNSO-TechDay on Monday (18:40 UTC).
It summarises many properties of the various key choices:


[ The NSEC and NSEC3 sizes in the table are measured sizes of signed
  NXDOMAIN replies from all TLDs where I know of at least 50 signed
  delegations.  Smaller TLDs, especially with opt-out and no signed
  delegations return smaller NSEC responses because a single NSEC
  RR can cover all the relevant names. ]

I think this makes a reasonable case that given a suitable software/hardware
stack, newly acquired if need be, choosing a 1280-bit RSA ZSK is practical
and justified.  A better choice may be ECDSA P256 or 1536-bit RSA with NSEC.

The main motivation for bringing this up is that I think that it is not enough
for DNSSEC to be practically safe within a tolerable margin, rather, to take
full advantage of DNSSEC we need it to be *trusted*, and trust sometimesm takes
more than good enough security, the safety margins need to be high enough to
put to rest reasonable doubt.

At this point I rather think that RSA-1024 is no longer trusted, even if it can be
made practically secure enough for signing with regular key rotation.

The gap from 0.54 million core years for RSA-1024 and 240 million core years
for RSA-1280, extrapolated from the cost of the recent RSA-250 (829 bit)


and cost ratios of ~200 and ~90,000 for 1024-bit GNFS and 1280-bit GNFS
respectively, relative to 829-bit GNFS, while "only" 9 bits, is I think quite significant.

The 54 billion (US) extrapolated core years for RSA-1536 is entirely out of reach
of GNFS with planetary-scale resources.

And as Matt points out, RSA-2048 ZSKs, or double-signed TLD zones seem to be
getting by alright.

So I think that it is time to leave the 2010's behind and reach for a more
trustworthy foundation for DNSSEC, by using stronger keys at least at the
eTLD layer, and ultimately for all zones.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211022/6231c768/attachment.html>

More information about the dns-operations mailing list