[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
Michael A. Peters
mpeters at domblogger.net
Thu Feb 15 18:54:10 UTC 2018
On 02/15/2018 09:26 AM, Paul Wouters wrote:
>
>> On Feb 15, 2018, at 12:23, Michael A. Peters <mpeters at domblogger.net> wrote:
>
>
>
>> ZSK is easy but ZSK should be 1024-bit to keep DNS responses small,
>
> There is no proof this is needed or required.
>
> And strong reasons to not use 1024 RSA anymore. The root ZSK is now 2048 with no issues reported.
>
> Paul
>
Thank you.
I believe the fear was abuse in DDoS amplification attacks.
More information about the nsd-users
mailing list