Re: [DNSOP] key lengths for DNSSEC
Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 April 2014 23:21 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 908301A042D for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 16:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qnljzt47nMh4 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 16:21:19 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 1D52D1A042B for <dnsop@ietf.org>; Wed, 2 Apr 2014 16:21:15 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id gl10so738685lab.28 for <dnsop@ietf.org>; Wed, 02 Apr 2014 16:21:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gPFKzIl5MyocL3gzY7GnUddAYRkS/NWNEgIqv6JhVyI=; b=atn4WfNxcGR0sLJGBOgTQ+n8GNw76AJbHiQ2cgRfAYCR/ltDlsjk98K0ndhoj7JPqk ME3gY0cSDcpQyteZ2ry3sTlIFipXh72i8zU5+65OH1M/QuawDwUcOXmfmizE71cxtpvF oOhflG3iD/iuU5oOs4h3hwqjM13bUzBzQTeLGECoKpo4QYuCZkTe21RJFmKysFj8o9M3 5QZTWVAc2EvltxVR4j95B3jI00PyFuUDyC9Bl9he50CjxLL3Tzg4qYqtNPv8NStih4fM jAG1FkQMFc3Uneboq/82BGgBbX+4Gcui+VdyOhUsHWhCVVYHxF8bMRmNXhHTxVAEnacq n+TQ==
MIME-Version: 1.0
X-Received: by 10.112.171.67 with SMTP id as3mr1899494lbc.10.1396480871262; Wed, 02 Apr 2014 16:21:11 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Wed, 2 Apr 2014 16:21:11 -0700 (PDT)
In-Reply-To: <1D0A45EF-E5D3-468D-BA08-E45FEF4399DE@dnss.ec>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com> <1D0A45EF-E5D3-468D-BA08-E45FEF4399DE@dnss.ec>
Date: Wed, 02 Apr 2014 19:21:11 -0400
Message-ID: <CAMm+LwgNoNhg7wSO+wqCGujBSfC4Fu3cwMPu2nTmkdvDwAD5Mw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: đź”’ Roy Arends <roy@dnss.ec>
Content-Type: multipart/alternative; boundary="001a11c2620c44704d04f6178a27"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/LeM3wQw38SqCOBZZMFK7j5AH4R4
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] key lengths for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 23:21:24 -0000
On Wed, Apr 2, 2014 at 11:19 AM, 🔒 Roy Arends <roy@dnss.ec> wrote: > On 02 Apr 2014, at 15:19, Jim Reid <jim@rfc1035.com> wrote: > > > There's been a lot of noise and very little signal in the recent > discussion. > > > > It would be helpful if there was real data on this topic. Is an RSA key > of N bits too "weak" or too "strong"? I don't know. Is N bits "good > enough"? Probably. Change the algorithm and/or value of N to taste. > > > > My gut feel is large ZSKs are overkill because the signatures should be > short-lived and the keys rotated frequently. Though the trade-offs here are > unclear: is a 512-bit key that changes daily (say) better than a 2048-bit > key that gets rotated once a week/month/whatever? Remember too we're not > talking about keys to launch ICBMs or authenticate billion dollar > transactions. I doubt it matters if a previous key can be cracked provided > it gets retired before the bad guys can throw enough CPU-years to break it. > > > > However I'm just going on my own gut feel and common sense which could > be wrong. Large keys might well be advisable at the root and/or for TLD > KSKs. But so far there does not appear to have been much science or > engineering on just how large those keys should be or how frequently they > change. So in the absence of other firm foundations the established wisdom > becomes "do what gets done for the root". > > > > If there is a threat or risk here, please present solid evidence. Or, > better still, an actual example of how any DNSSEC key has been compromised > and then used for a real-world (or proof of concept) spoofing attack. > > > > > > BTW, the apparent profanity on an earlier thread was annoying because it > didn't spell "whisky" correctly. As every drinker of fine single malt > knows. :-) > > :-) > > Jim, > > Just a thought that occured to me. Crypto-maffia folk are looking for a > minimum (i.e. at least so many bits otherwise its insecure). DNS-maffia > folk are looking for a maximum (i.e. at most soo many bits otherwise > fragmentation/fallback to tcp). It seems that the cryptomaffia’s minimum > might actually be larger than the DNS-maffia’s maximum. > > As an example (dns-op perspective). > > Average case: 2 keys (KSK/ZSK) + 1 sig (by KSK) with 2048 bit keys is at > least 768 bytes (and then some). > Roll case: 3 keys(2 KSK/1 ZSK) + 2 sig (by KSK) with 2048 bit keys is at > least 1280 bytes (and then some). > > Then there is this section in SAC63: "Interaction of Response Size and > IPv6 Fragmentation” > > Which relates to response sizes larger than 1280 and IPv6 and blackhole > effects. > > https://www.icann.org/en/groups/ssac/documents/sac-063-en.pdf There is no doubt that we can get close to the limit on response sizes. Which is why I have been pushing the notion that if we are going to do DNSE then part of the DNSE solution should be to get us out of the single response packet straightjacket. Its not just crypto that gets crippled by this issue. We are not in 1995 any more. We have bigger computing resources and bigger security challenges. The Internet isn't a science project any more. Too much of the debate here has been for one security approach versus another. That is obsolete thinking we have been moving to multiple layers of cryptography for some time now. -- Website: http://hallambaker.com/
- Re: [DNSOP] key lengths for DNSSEC Phillip Hallam-Baker
- [DNSOP] key lengths for DNSSEC Jim Reid
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Joe Abley
- [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC) Andrew Sullivan
- Re: [DNSOP] key lengths for DNSSEC đź”’ Roy Arends
- Re: [DNSOP] key lengths for DNSSEC Phil Regnauld
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Evan Hunt
- Re: [DNSOP] key lengths for DNSSEC Nicholas Weaver
- Re: [DNSOP] key lengths for DNSSEC Frederico A C Neves
- Re: [DNSOP] key lengths for DNSSEC Richard Lamb
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Andrew Sullivan
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- [DNSOP] Signaling Cryptographic Algorithm Underst… Steve Crocker