Update on stats 2019-11

Mark Elkins mje at posix.co.za
Mon Dec 2 19:01:27 CET 2019 

On 2019/12/02 12:16, Michael Grimm wrote:
> Hi
>
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>>           Also adoption of ECDSA P-256 (algorithm 13) continues to grow,
>>           and the number of domains using P-256 KSKs has almost reached
>>           parity with RSA-SHA256 (algorithm 8), which is just ahead for
>>           now, but likely not for very much longer.
I run a small ISP in South Africa - with about 2000 domains. About 200 
of these are DNSSEC signed. I'm in the process of migrating them from 
algo 8 to algo 13. Its all scripted and the conversions are all 
happening automatically. *The KSK-ZSK chain has to be complete**through 
with at least one common Algorithm.* I also don't want to re-sign 
everything at the same time - so everything is spread out over a year. I 
keep KSK's for a year and ZSK's for a month.
ZSK's are dealt with totally internally where as a KSK rollover means 
talking to the Parent zone and changing DS records - so I'm timing 
everything with my KSK's.

When a KSK is due to roll, create both a Algo-13 KSK and ZSK. iUpload 
the appropriate DS. Once the new DS record is "seen" (and give it 
another day) - then delete the old DS, KSK and ZSK.

The KSK and ZSK signatures are much shorter - so you are less lightly to 
be used as a DDOS source for a DNS Denial of service attack (the 
amplification is way lower).

*You don't need to increase the Key Size. *

>
> My KSK and ZSK are both of algorithm 8 and 2048 bits in size.
>
> Is it correct to assume that -due to the growing adoption of algorithm 13- that this algorithm should be preferred?
> If so, I would like to migrate.
> But, I do have some questions to the community beforehand:
>
> #) Can one mix KSK and ZSK algorithms?
>
>     (I do have a rollover of my ZSKs due in a couple of days. Thus starting with ZSKs would be convenient.)
>
> #) Would it be wise to increase from 2048 to 4096 bits size?
>
> Thanks in advance and with kind regards,
> Michael
>
>
>
-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20191202/7aee3eac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20191202/7aee3eac/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20191202/7aee3eac/attachment-0001.png>

More information about the dane-users mailing list