On Mon, Dec 02, 2019 at 11:16:56AM +0100, Michael Grimm wrote:
Viktor Dukhovni ietf-dane@dukhovni.org wrote:
Also adoption of ECDSA P-256 (algorithm 13) continues to grow, and the number of domains using P-256 KSKs has almost reached parity with RSA-SHA256 (algorithm 8), which is just ahead for now, but likely not for very much longer.My KSK and ZSK are both of algorithm 8 and 2048 bits in size.
That's mostly OK, but the 2048-bit ZSK means that denial of existence responses are likely to exceed the IPv6 MTU, and may be cause some lookup issues. With RSA, the best-practice ZSK size is likely 1280 bits, rotated often enough (every 90 days or so) to not pose significant risk of cryptanalysis.
Is it correct to assume that -due to the growing adoption of algorithm 13- that this algorithm should be preferred?
Yes. ECDSA P-256 is better suited to DNSSEC.
#) Can one mix KSK and ZSK algorithms?
This is not recommended, to switch algorithms:
0. Migrate to a 1280 or 1024-bit ZSK, to keep packet sizes down, wait a few TTLs.
1. Add and activate a P-256 ZSK, wait a few TTLs after all secondaries are serving the updated zone.
2. Add an activate a P-256 KSK, wait a few TTLs after all secondaries are serving the updated zone.
3. Update the DS record in the parent zone to match the P-256 KSK (you can now drop the DS matching the RSA KSK). Wait a few parent zone TTLs after new DS is visible in all parent zone nameservers.
4. Drop the RSA KSK from your zone, wait a few TTLs.
5. Drop the RSA ZSK from your zone. You're done.
(I do have a rollover of my ZSKs due in a couple of days. Thus starting with ZSKs would be convenient.)
* The order of addition is: ZSK -> KSK -> DS * The order of removal is: DS -> KSK -> ZSK
#) Would it be wise to increase from 2048 to 4096 bits size?
Definitely not, instead 1280 bits, but then migrate to P-256.