Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Thierry Moreau <> Fri, 28 March 2014 15:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 786D81A02DB for <>; Fri, 28 Mar 2014 08:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wDui6a4qoKhL for <>; Fri, 28 Mar 2014 08:26:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A70B91A06CA for <>; Fri, 28 Mar 2014 08:26:57 -0700 (PDT)
Received: from [] (DODECA1ER.CONNOTECH-INTERNAL.COM []) by (Postfix) with ESMTPA id 61277319FF; Fri, 28 Mar 2014 11:22:45 -0400 (EDT)
Message-ID: <>
Date: Fri, 28 Mar 2014 15:28:33 +0000
From: Thierry Moreau <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Nicholas Weaver <>, dnsop WG <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Mar 2014 15:26:59 -0000

On 03/27/14 13:56, Nicholas Weaver wrote:
> So why the hell do the real operators of DNSSEC that matters, notably com and ., use 1024b RSA keys?
> And don't give me that key-roll BS: Give me an out of date key for . and a MitM position, and I can basically create a false world for many DNSSEC-validating devices by also providing bogus time data with a MitM on NTP...

[Did not read all the discussion.]

Suppose I agree with the rationales for keys larger than 1024. Under 
some relatively paranoid assumptions in the threat model, they make sense.

Turning to the solution space, why not 1280 or 1459? Then increase by 
ever smaller jumps every two years.

Is it possible that the whole IT security community is social-engineered 
into thinking that anything below 2048 is inadequate for any purpose. 
Because the larger the RSA key size recommendations, the less severe the 
relative ECC performance cost on digital signature verification 
operations. Thus the ECC promoters have an in interest in the underlying 
expert community wisdom.

-- Thierry Moreau