is this "normal" if not what to do about it?
john at klam.ca
Tue Jan 27 23:30:26 CET 2015
On 1/27/2015 2:00 PM, Viktor Dukhovni wrote:
>> Are you recommending rolling the ZSKs every 7 days, or are you talking about
>> something else?
> NO. I'm recommeding signature lifetimes of ~7 days for sites with
> the operational capacity to keep everything current on a tight
> schedule. This way, signatures of stale records expire quickly.
I am still not quite sure what you mean. I have a sneaky feeling that we
are talking about two different things.
My DNSKEYs have a life of about 60 days. which is what I thought you
were taking about.
However, if I look a little closer I see that my RRSIG has a life of
about 30 days. I don't remember specifying any times when I signed my
zones, plus I am now using inline signing.
think I had better find out how to specify these values for inline.
Overkill IMHO. Since the root zone signature is 2048 bits, anything
stronger is just a waste of bandwidth and risks interoperability
problems. I a decade from now, perhaps we'll have interoperable
options based on soon to be defined best-practice ECC curves,
For now RSA-2048 is about as strong as you can reasonably get, and
likely strong enough.
Given the length of root signatures, I have to agree that 2048 is it.
> There is AFAIK no public evidence of practical key recovery attacks
> on RSA-1024, when properly seeded. Practical attacks on 2048-bit
> RSA seem rather unlikely at present.
That's the problem with cryptography. Nobody is going to tell you that
they have broken you codes, you only find out when something unexpected
or unpleasant happens.
Support bacteria. There are the only culture some people have.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
More information about the dane-users