is this "normal" if not what to do about it?

[John]

On 1/27/2015 2:00 PM, Viktor Dukhovni wrote:
>> Are you recommending rolling the ZSKs every 7 days, or are you talking about
>> something else?
> NO.  I'm recommeding signature lifetimes of ~7 days for sites with
> the operational capacity to keep everything current on a tight
> schedule.  This way, signatures of stale records expire quickly.
I am still not quite sure what you mean. I have a sneaky feeling that we 
are talking about two different things.
My DNSKEYs have a life of about 60 days. which is what I thought you 
were taking about.

However, if I look a little closer I see that my RRSIG has a life of 
about 30 days. I don't remember specifying any times when I signed my 
zones, plus I am now using inline signing.
think I had better find out how to specify these values for inline.

Overkill IMHO.  Since the root zone signature is 2048 bits, anything
stronger is just a waste of bandwidth and risks interoperability
problems.  I a decade from now, perhaps we'll have interoperable
options based on soon to be defined best-practice ECC curves,

For now RSA-2048 is about as strong as you can reasonably get, and
likely strong enough.

Given the length of root signatures, I have to agree that 2048 is it.
> There is AFAIK no public evidence of practical key recovery attacks
> on RSA-1024, when properly seeded.  Practical attacks on 2048-bit
> RSA seem rather unlikely at present.
>
That's the problem with cryptography. Nobody is going to tell you that 
they have broken you codes, you only find out when something unexpected 
or unpleasant happens.

Take care.

-- 
John Allen
KLaM
------------------------------------------
Support bacteria. There are the only culture some people have.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150127/4370f42d/attachment.bin>