Re: [DNSOP] key lengths for DNSSEC
đź”’ Roy Arends <roy@dnss.ec> Wed, 02 April 2014 15:20 UTC
Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BE291A0291 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 08:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UfcvlJTgh5zi for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 08:19:56 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 20BCF1A028C for <dnsop@ietf.org>; Wed, 2 Apr 2014 08:19:29 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id x12so403478wgg.6 for <dnsop@ietf.org>; Wed, 02 Apr 2014 08:19:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=p//YbRGQb4rzBSqk5nH3QB/DfMVwnRZcxwv2jk3/rfo=; b=Alq70yWplaB6B1l/u0jl1c0sBp1zgoEROiaBaPg0+3/a6NqamN9f1aFdE6iF5wIIJR MrPuyp5yknqdis84dp3CVInimclqjiNAXox4Vf+RHcIdxYwkWvVXhAtMzPz2nbI6JLXy 5A5L72GGHtBWspR/JM/YH74OPKXw5hZmBZPWA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=p//YbRGQb4rzBSqk5nH3QB/DfMVwnRZcxwv2jk3/rfo=; b=VOlfPd5eu0Xs6/uk6EHLa0NYGy4tNFqGKFYY3VT/cAmn8rxRyahHoOUqaZwVE95UTY 1H2J4fXQf7QQY2VPy07EUPGhgw84sLVJJq59I+Dmbk6W2cCsLWmP3hmTpd8fCxtuiIej H1oLrgAaTAkkEl7eHJ9B4OVUoyz2ocU4oEgx61O4gRjDuywSU8hgJ000bYICUMJ481gr SOz5rN+uR9Mes1j1snwXbKMB0qY9mRYqKiZ2Y/6VdM2vIvTwp3lf6C3j2ySon3KMWBBC yjpq8sYjuY4zVnD8yC7sd+PSWIkx5117oKVGVo352llgjL8goQ6OOYreLTdv3OFOAtzE YeXQ==
X-Gm-Message-State: ALoCoQnE8em9vW8JPqfryEEnquKam8WuCOykaOSS41NZEtb9+buSckKWsoGjKJFCAHhrwfLIERtG
X-Received: by 10.194.192.233 with SMTP id hj9mr1706063wjc.78.1396451965823; Wed, 02 Apr 2014 08:19:25 -0700 (PDT)
Received: from [213.248.192.180] ([213.248.192.180]) by mx.google.com with ESMTPSA id ff9sm40295624wib.11.2014.04.02.08.19.24 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 08:19:24 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Content-Type: multipart/signed; boundary="Apple-Mail=_9A3F4675-4AB0-46CA-8A72-511086ACCA33"; protocol="application/pgp-signature"; micalg="pgp-sha1"
From: đź”’ Roy Arends <roy@dnss.ec>
In-Reply-To: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com>
Date: Wed, 02 Apr 2014 16:19:25 +0100
Message-Id: <1D0A45EF-E5D3-468D-BA08-E45FEF4399DE@dnss.ec>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com>
To: Jim Reid <jim@rfc1035.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/9OFGgOKDRaqeZPaEqa-d0GXwtWg
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] key lengths for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 15:20:01 -0000
On 02 Apr 2014, at 15:19, Jim Reid <jim@rfc1035.com> wrote: > There's been a lot of noise and very little signal in the recent discussion. > > It would be helpful if there was real data on this topic. Is an RSA key of N bits too "weak" or too "strong"? I don't know. Is N bits "good enough"? Probably. Change the algorithm and/or value of N to taste. > > My gut feel is large ZSKs are overkill because the signatures should be short-lived and the keys rotated frequently. Though the trade-offs here are unclear: is a 512-bit key that changes daily (say) better than a 2048-bit key that gets rotated once a week/month/whatever? Remember too we're not talking about keys to launch ICBMs or authenticate billion dollar transactions. I doubt it matters if a previous key can be cracked provided it gets retired before the bad guys can throw enough CPU-years to break it. > > However I'm just going on my own gut feel and common sense which could be wrong. Large keys might well be advisable at the root and/or for TLD KSKs. But so far there does not appear to have been much science or engineering on just how large those keys should be or how frequently they change. So in the absence of other firm foundations the established wisdom becomes "do what gets done for the root". > > If there is a threat or risk here, please present solid evidence. Or, better still, an actual example of how any DNSSEC key has been compromised and then used for a real-world (or proof of concept) spoofing attack. > > > BTW, the apparent profanity on an earlier thread was annoying because it didn't spell "whisky" correctly. As every drinker of fine single malt knows. :-) :-) Jim, Just a thought that occured to me. Crypto-maffia folk are looking for a minimum (i.e. at least so many bits otherwise its insecure). DNS-maffia folk are looking for a maximum (i.e. at most soo many bits otherwise fragmentation/fallback to tcp). It seems that the cryptomaffia’s minimum might actually be larger than the DNS-maffia’s maximum. As an example (dns-op perspective). Average case: 2 keys (KSK/ZSK) + 1 sig (by KSK) with 2048 bit keys is at least 768 bytes (and then some). Roll case: 3 keys(2 KSK/1 ZSK) + 2 sig (by KSK) with 2048 bit keys is at least 1280 bytes (and then some). Then there is this section in SAC63: "Interaction of Response Size and IPv6 Fragmentation” Which relates to response sizes larger than 1280 and IPv6 and blackhole effects. https://www.icann.org/en/groups/ssac/documents/sac-063-en.pdf Hope this helps Roy
- Re: [DNSOP] key lengths for DNSSEC Phillip Hallam-Baker
- [DNSOP] key lengths for DNSSEC Jim Reid
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Joe Abley
- [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC) Andrew Sullivan
- Re: [DNSOP] key lengths for DNSSEC đź”’ Roy Arends
- Re: [DNSOP] key lengths for DNSSEC Phil Regnauld
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Evan Hunt
- Re: [DNSOP] key lengths for DNSSEC Nicholas Weaver
- Re: [DNSOP] key lengths for DNSSEC Frederico A C Neves
- Re: [DNSOP] key lengths for DNSSEC Richard Lamb
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Andrew Sullivan
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- [DNSOP] Signaling Cryptographic Algorithm Underst… Steve Crocker