<html><head></head><body><div dir="auto">+1.</div>
<div class="gmail_quote" >On Jan 20, 2019, at 18:04, Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" target="_blank">ietf-dane@dukhovni.org</a>> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="blue"><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> On Jan 20, 2019, at 5:10 PM, Paul Hoffman <phoffman@proper.com> wrote:<br> <br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> It would be great if the operators of TLDs with 1024-bit ZSKs that<br> are unchanged since 2017-10-19 or earlier would consider rolling<br> over to new keys<br></blockquote> <br> Great for whom? This is a serious question. Given that there is no indication that RSA-1024 can be broken in a few years without hundreds of millions of dollars worth of work (unless TWIRL chips exist, and there is no indication that they do), what is the value to the DNS of rolling based on your calculations?<br></blockquote><br>A fair question. The pros are:<br><br> * The DNSSEC haters would not have the opportunity to sneer<br> all those long-lived 1024-bit keys. The WebPKI has stopped<br> using RSA-1024, and NIST's key size guidelines had RSA-1024<br> only good through 2010 or so (IIRC).<br><br> * Even when keys are not brute forced, there is some risk of<br> keys getting disclosed by various means, sometimes unbeknownst<br> to the legitimate key holder. So rotating keys periodically<br> is a sound practice.<br><br> * We don't know whether any of the TLAs can break 1024-bit RSA,<br> but the risk is taken seriously by at least some maintstream<br> cryptographers, so it seems prudent to move to stronger keys.<br><br> * Finally, if you never roll your keys routinely, you probably<br> don't know how to do it in an emergency. Best to keep the<br> gears well oiled.<br><br>On the down side, there's some operational risk of poor execution,<br>but if one gets into the habit of rolling the keys regularly, and<br>the process is well thought it, the risk should be very low.<br><br>I am curious what others think...<br></pre></blockquote></div></body></html>