Closed Habbie closed 8 years ago
X-Cli
commented
8 years ago I completely subscribe to your security analysis: current deployments do not benefit from KSK/ZSK splitting. I also confirm that several information security gov agencies publicly document that RSA 1024 should not be used. Therefore, I, hat-off, would recommend to use a RSA 2048 CSK by default.
Habbie
commented
8 years ago Follow up question for anybody reading this - CSK with or without SEP set?
jpmens
commented
8 years ago CSK as 257; I think that would make things clearer for people who've read that SEP bit is the trust anchor for the zone. (Though I know it's not required, e.g. dig co.uk dnskey :-)
Habbie
commented
8 years ago Yes, 257 is clearer but it's good to know validators won't choke on it, given that co.uk runs with 256 :)
Habbie
commented
8 years ago @ahupowerdns has just made the executive decision to go ECDSA, which to me means that most split-key arguments are falling away as well.
jpmens
commented
8 years ago Executive Decision? You asked for votes! ;-)
Habbie
commented
8 years ago Pondering 13 vs. 14. Key flags probably 256. Should fix #3068 to go with this.
Habbie
commented
8 years ago 13 (ecdsa256), key flags 256, one key. Now on master.
pdnssec secure-zonecurrently defaults to algo 8 with a 2048 bit KSK and a 1024 bit ZSK. The way PowerDNS currently works and is deployed by most people, the KSK/ZSK split makes no sense, other than slightly reducing load on validators (which does not strike me as an important argument).Suggestions: