[Dnssec-deployment] DNSSEC4J and trust anchors
Ed.Lewis at neustar.biz
Tue Jan 31 15:07:25 EST 2012
At 19:02 -0500 1/30/12, Michael StJohns wrote:
>To do roll-over, you generally need to carry three keys for a while - an
>active key, a revoked-key and a new key. Since the DNSKEY RRSet is shared
>with the ZSKs, you also need to carry at least one ZSK. 4 keys @2048
>bits / 6 (base 64 encoding) is about 350 characters * 4 or about 1400
In the spirit of questioning everything, do we need to use 2048 bit
keys for this? E.g., the new KSK could be shorter and the ZSK too.
It could be that we have a long key for a long time, then at roll
time, first roll the ZSK to be short, and then roll from a long to
short KSK. Once done, roll back to a long KSK and then a long ZSK.
Is there any concrete evidence that the root KSK be 2048 bits long?
I know that longer is safer, but do we have any concrete data that
says 1024 won't do and it must be 2048? Or are we just playing it
NeuStar You can leave a voice message at +1-571-434-5468
2012...time to reuse those 1984 calendars!
More information about the Dnssec-deployment