Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

[Joe Abley <jabley@hopcount.ca>]

On 24 Apr 2009, at 16:03, Paul Wouters wrote:

> I don't see a cryptographic reason for Paul Hoffman's "I'd like the  
> keys to
> be of equal size". Unless you'd argue that the KSK could easilly  
> also be
> 1024bit, and that the additional 11 months of validity of the KSK is
> negligable compared to the time now upto 3 years from now, to break  
> a 1024
> bit RSA key.

What benefit is there of keeping the KSK small (e.g. 1024 bits)  
instead of just choosing the maximum that your signing software  
permits (e.g. 4096 bits, I think, with dnssec-signzone)?

EDNS0 is a prerequisite for DNSSEC, if memory serves, so it's  
presumably not TCP fallback we're worried about with larger DNSKEY  
RDATA. A 4096 bit key only represents 384 more bytes of RDATA in a  
DNSKEY resource record on the wire than a 1024 bit key, and 384 bytes  
doesn't sound (naively, no science) like it's going to break the bank.

Is the root concern the computational expense of dealing with larger  
keys in a validator? Or something else? Whatever the root concern is,  
what are the boundaries?

It seems fruitless to debate whether 1024 bits is sufficient if  
there's no real cost to just choosing (say) 4096 bits and avoiding the  
discussion.


Joe