[Dnssec-deployment] DNSSEC4J and trust anchors

Edward Lewis Ed.Lewis at neustar.biz
Tue Jan 31 15:07:25 EST 2012

At 19:02 -0500 1/30/12, Michael StJohns wrote:

>To do roll-over, you generally need to carry three keys for a while - an
>active key, a revoked-key and a new key.  Since the DNSKEY RRSet is shared
>with the ZSKs, you also need to carry at least one ZSK.  4 keys @2048
>bits  / 6 (base 64 encoding) is about 350 characters * 4 or about 1400

In the spirit of questioning everything, do we need to use 2048 bit 
keys for this?  E.g., the new KSK could be shorter and the ZSK too.

It could be that we have a long key for a long time, then at roll 
time, first roll the ZSK to be short, and then roll from a long to 
short KSK.  Once done, roll back to a long KSK and then a long ZSK. 
Just suggesting...

Is there any concrete evidence that the root KSK be 2048 bits long? 
I know that longer is safer, but do we have any concrete data that 
says 1024 won't do and it must be 2048?  Or are we just playing it 

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

2012...time to reuse those 1984 calendars!

More information about the Dnssec-deployment mailing list