Possibly questionable security decisions in DNS root management
Nicolas Williams
Nicolas.Williams at sun.com
Mon Oct 19 11:24:40 EDT 2009
Getting DNSSEC deployed with sufficiently large KSKs should be priority #1.
If 90 days for the 1024-bit ZSKs is too long, that can always be
reduced, or the ZSK keylength be increased -- we too can squeeze factors
of 10 from various places. In the early days of DNSSEC deployment the
opportunities for causing damage by breaking a ZSK will be relatively
meager. We have time to get this right; this issue does not strike me
as urgent.
OTOH, will we be able to detect breaks? A clever attacker will use
breaks in very subtle ways. A ZSK break would be bad, but something
that could be dealt with, *if* we knew it'd happened. The potential
difficulty of detecting attacks is probably the best reason for seeking
stronger keys well ahead of time.
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list