Possibly questionable security decisions in DNS root management
Perry E. Metzger
perry at piermont.com
Wed Oct 14 18:24:06 EDT 2009
Ekr has a very good blog posting on what seems like a bad security
decision being made by Verisign on management of the DNS root key.
http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html
In summary, a decision is being made to use a "short lived" 1024 bit key
for the signature because longer keys would result in excessively large
DNS packets. However, such short keys are very likely crackable in short
periods of time if the stakes are high enough -- and few keys in
existence are this valuable.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list