IETF Logo Mail Archive

Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 21 April 2009 22:12 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 58D673A6ED4 for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 15:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.282
X-Spam-Level:
X-Spam-Status: No, score=-2.282 tagged_above=-999 required=5 tests=[AWL=0.317, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xd7Md6nfbk2E for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 15:12:39 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 14A373A6D19 for <dnsop@ietf.org>; Tue, 21 Apr 2009 15:12:36 -0700 (PDT)
Received: from [10.20.30.163] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n3LMDSWf089523 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Apr 2009 15:13:30 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240814c613f23a6960@[10.20.30.163]>
In-Reply-To: <49EE276C.5070706@ca.afilias.info>
References: <20090306141501.4BA2F3A6B4B@core3.amsl.com> <49EDA81E.2000600@ca.afilias.info> <p06240807c613a658a056@[10.20.30.163]> <49EE276C.5070706@ca.afilias.info>
Date: Tue, 21 Apr 2009 15:13:27 -0700
To: Shane Kerr <shane@ca.afilias.info>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2009 22:12:40 -0000

At 10:07 PM +0200 4/21/09, Shane Kerr wrote:
>Paul Hoffman wrote:
>>
>> ...assuming that you feel that attacker would spend even a million dollars to break your key. This line of logic completely discounts common sense, however. Which is more valuable to an attacker: the ability to temporarily spoof DNS responses in your zone, or the ability to masquerade as any secure web site they want to?
>
>The same RSA-cracker that our evil-doers dropped $10 million on to hack
>web SSL will work nicely for RSA DNSSEC, thanks!

You're welcome. :-) Of course it will. It will also work on all other 1024-bit keys. If you believe that your DNSSEC key is worth more to an attacker than those other keys, then you should use a larger key. Nothing special here.

> > I'm not advocating that people use 1024 bit keys; that's up to them. If someone wants to use 2048-bit keys that take about four times as much effort to sign and verify, that's great. However, those people should make decisions based on facts about DNSSEC deployment, not extrapolations from estimates that are both speculative and based on key usage that is not applicable to DNSSEC.
>
>I look at it like this:
>
>High-volume and/or high-profile sites are the very ones that will most
>likely be attacked, and the ones that should really consider a longer
>key length for security.

Of course. They should also really consider whether or not they will ever get attacked. If not (because attackers will be more interested in other keys), then that is an input to their decision-making. 'Twas ever thus.

> Low-volume and/or low-profile sites don't
>really need to care about the computation time expended, because in the
>end we're not talking about a lot of bandwidth or cycles in total.

I don't understand this. It is not the end users who will be spending the cycles doing signature validation, it is the validating resolvers.

>(The
>computational losers in DNSSEC are, as always, the validating resolvers.
>I don't know of any benchmarks showing the cost of relative key sizes
>for resolvers though, so it's all a bit hand-wavy, but it could be a
>real problem.)

'openssl speed rsa1024 rsa2048' is your friend here. On my laptop, signing takes six times longer, but verifying only takes three times longer. Different platforms will give different results.

>While you may not advocate that people use 1024 bit keys, the draft
>spends 5 paragraphs advocating 1024 bit keys.

No, it doesn't. It spends five paragraphs saying "you're probably fine with 1024 bit keys, but consider the consequences". If you have replacement wording, it would be great to see it.

>I obviously think this is
>a misguided recommendation. At the very least we should tone it down a bit.

I fully disagree with "tone it down". This is an operational document. Telling operators what they should consider when making policy is *much* better than giving them a summarized number that may not apply to DNSSEC at all. Others may disagree and want a single summarized number; however, in that case, 1024 would apply to more readers than 2048 would. Not letting the reader decide for themselves will lead to either worse security or needlessly wasted CPU cycles.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email