Hacker News new | ask | show | jobs
by yuhong 3877 days ago
I have suggested DNSSEC2 several times and it would likely use ECC not RSA. At least the root keys are 2048-bit RSA now, right?
1 comments
ryan-c 3877 days ago
The DNS root is signed with a 1024 bit key, currently:

    -----BEGIN RSA PUBLIC KEY-----
    MIGJAoGBALgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNM
    ioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaR
    F2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXlAgMBAAE=
    -----END RSA PUBLIC KEY-----
That key - the zone signing key - is signed with the key signing key, which is 2048 bits.
link