thr3ads.net - nsd users - [nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation [Feb 2018]

If this information is useful, please help other people find it:
Share via:

Paul Wouters

2018-Feb-15 17:26 UTC

[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

> On Feb 15, 2018, at 12:23, Michael A. Peters <mpeters at
domblogger.net> wrote:

> ZSK is easy but ZSK should be 1024-bit to keep DNS responses small,
There is no proof this is needed or required.

And strong reasons to not use 1024 RSA anymore. The root ZSK is now 2048 with no
issues reported.

Paul

Michael A. Peters

2018-Feb-15 18:54 UTC

head link

[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

On 02/15/2018 09:26 AM, Paul Wouters wrote:>
>> On Feb 15, 2018, at 12:23, Michael A. Peters <mpeters at
domblogger.net> wrote:
>
>
>
>> ZSK is easy but ZSK should be 1024-bit to keep DNS responses small,
>
> There is no proof this is needed or required.
>
> And strong reasons to not use 1024 RSA anymore. The root ZSK is now 2048
with no issues reported.
>
> Paul
>
Thank you.

I believe the fear was abuse in DDoS amplification attacks.

nsd users - Feb 2018 - NSD and DNSSEC signature refreshing and ZSK rotation

[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation