[dnssec-deployment] Signed Root @ IANA
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Aug 1 21:09:43 EDT 2007
On Thu, Aug 02, 2007 at 09:13:33AM +1000, Mark Andrews wrote:
>
> > On Thu, Aug 02, 2007 at 05:46:03AM +1000, Mark Andrews wrote:
> > >
> > > Another differentiator is key size. Zone keys are likely to be
> > > smaller.
> >
> > why do you think this is the case?
>
> The zone keys are generally rolled more frequently than the
> key signing keys so are exposed for a shorter period to
> crypto analysis so they don't need to as strong.
thats a rational for making them shorter/smaller but does
not enforce an operational mandate. there is no down
side to having the keys be the same length. and for that
matter, the size could be inverted, w/ the ZSK being larger
than the KSK.
in the end, key size is a huristic, like the existance of the KSK
flag. One had better get the DS from the child... or at least the
DNSKEY.
> > --BILL
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment
mailing list