On Mon, Dec 02, 2019 at 08:14:30PM +0100, Michael Grimm wrote:
Definitely not, instead 1280 bits, but then migrate to P-256.
That 1280 bit advice is RSA-only. RSA has variable-size keys.
I will migrate both KSK and ZSK to P-256. I understood that a ZSK should be of size 1280 bits, but what is the optimal size of a P-256 KSK [1]?
Best-practice for an *RSA* ZSK is ~1280 bits, but P-256 has fixed size keys, so the question does not make sense...
The key blob (in "uncompressed" point format) is 512 bits, but we simply don't talk about key bits with EC crypto, instead we talk about choices of "curve" (which imply the key and signature sizes). P-256 is the most widely used EC curve. It is gradually being superseded by Ed25519, but too few DNS resolvers support Ed25519 to make it a practical choice for DNSSEC just yet.