Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Matthäus Wander <matthaeus.wander@uni-due.de> Thu, 27 March 2014 17:14 UTC

Return-Path: <matthaeus.wander@uni-due.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4601A06F6 for <dnsop@ietfa.amsl.com>; Thu, 27 Mar 2014 10:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.26
X-Spam-Level:
X-Spam-Status: No, score=-1.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSjop4TnJkmR for <dnsop@ietfa.amsl.com>; Thu, 27 Mar 2014 10:14:35 -0700 (PDT)
Received: from mailout.uni-due.de (mailout.uni-due.de [132.252.185.19]) by ietfa.amsl.com (Postfix) with ESMTP id 55AD61A06E5 for <dnsop@ietf.org>; Thu, 27 Mar 2014 10:14:35 -0700 (PDT)
Received: from [192.168.8.100] (firewall.vs.uni-duisburg-essen.de [134.91.78.130]) (authenticated bits=0) by mailout.uni-due.de (8.13.1/8.13.1) with ESMTP id s2RHEV8U007864 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <dnsop@ietf.org>; Thu, 27 Mar 2014 18:14:32 +0100
Message-ID: <53345C77.8040603@uni-due.de>
Date: Thu, 27 Mar 2014 18:14:31 +0100
From: =?ISO-8859-1?Q?Matth=E4us_Wander?= <matthaeus.wander@uni-due.de>
Organization: Verteilte Systeme
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu>
In-Reply-To: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020901030707060104060801"
X-Virus-Scanned: Clam Anti Virus - http://www.clamav.net
X-Spam-Scanned: SpamAssassin: 3.002004 - http://www.spamassassin.org
X-Scanned-By: MIMEDefang 2.57 on 132.252.185.19
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/EBoJnGCHGCcF_EV30rdlscAmQxQ
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 17:14:37 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Nicholas Weaver [2014-03-27 14:56]:
> So why are both root and com and org and, well, just about
> everyone else using 1024b keys for the actual signing?

Here's a small statistic about RSA key lengths of 741,552 signed
second-level domains (collected on 2014-01-27, counting KSK and ZSKs):

> 1024 bit: 1298238 2048 bit:  698232 1280 bit:   28441 4096 bit: 
> 25326 512 bit:    8893 1536 bit:     385

Plus ~700 odd-sized RSA keys and ~250 DSA/GOST/ECDSA keys.

A domain owner of one of the 512-bit keys told me, it was the default
config in the signing tool he had used.

Regards,
Matt

- -- 
Universität Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTNFx3AAoJEFaVlPYoUriuqfQIAIhyRBYSoqQhjw3KnvmRt0Lm
1vurP5DPFUIpTGyZj5wvVfcj3SQvQ9ULivv+wYZ+XgnOyRf8JSfo62gcC69qED7J
Meq8ZPnrG03SfFqaKdv/ArgMBxXBUZxxxixsbHrk80CuHOpdBnqXB0tvbFlRtEyG
RHLUNK7vKPDFTnQXRErugtSrfJy1km49hq4SG3bGdTWfOLre3ML6QDDzFw/kb6AD
r18sB3yBpFv6uXm98/2lNFDgBzvEBSUyU/abhQQNb/0H9Y8S+ekxXe1JfQEKdpIi
F3Gazx6WfaJtHQRqJhEcTeP08eKMTGNMRlp3hzF8v7UmrocowXPW+xDWMsqUWtU=
=lCBt
-----END PGP SIGNATURE-----