[woodruffw]

As a side question: am I correct in reading this to imply that the two "leaf" keys here are both RSA 1024 keys? RSA 1024 has been considered within nation-state capabilities for well over a decade, and NIST has explicitly discouraged them for DNSSEC for close to a decade[1].

I can understand not using larger RSA key sizes for framing reasons, but what is stopping the DNSSEC ecosystem from using ECC?

[1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[bewaretheirs]

ECDSA is available in DNSSEC, and there is a slow migration to ECC in progress; see https://stats.dnssec-tools.org/#/?dnssec_param_tab=0

The .EDU, .NET, and .COM zones were recently migrated from RSA to ECDSA (DNSSEC algorithm 13); see, for instance: https://lists.dns-oarc.net/pipermail/dns-operations/2023-Dec...

Anyone newly enabling DNSSEC on their zone should probably use ECDSA.

[tptacek]

Until relatively recently, ECC DNS had (if I'm remembering Geoff Huston right) a 5% failure rate for resolvers. Towards the end, that may have mostly been a misconfiguration artifact (DNSSEC is extremely easy to misconfigure; see again Huston) but either way the perception has been that RSA is more compatible.

Also: why would you bother changing at this point? DNSSEC isn't getting traction (see, once again, Geoff Huston).

The 1024-bit key thing is unforgivable in 2024, but also endemic to DNSSEC.

[woodruffw]

Yep, I'm not a defender of DNSSEC, just not especially familiar with it. The RSA 1024 thing was surprising as an outsider!

[tptacek]

Oh, yeah, no, I know you're not, I'm just relating ECC and RSA strength facts about DNSSEC. I think the observations I'm making are pretty straightforward?

[zokier]

inertia

https://datatracker.ietf.org/doc/html/rfc6605

https://datatracker.ietf.org/doc/html/rfc8080