What are the recommended settings for ECDSA keys in Plesk DNSSEC?

• 

  b_p August 21, 2017 22:29

  Don't these key lengths refer to the more traditional algorithms such as RSASHA256? Wasn't it the case that the benefit of ECDSA is that you can use shorter keys and signatures (see e.g., http://dx.doi.org/10.5121/ijesa.2015.5202)?

  Another interesting hint: https://labs.apnic.net/?p=544

  1

  Comment actions Permalink
• 

  Alexander Tsmokalyuk August 22, 2017 08:31

  Thank you for the feedback. We will discuss your points with our developers and will update the article if necessary.

  0

  Comment actions Permalink
• 

  Konstantin Annikov August 25, 2017 12:43

  Hello, 

  Here is the detailed answer:

   

  The following ECDSA algorithms can be used with DNSSEC: 
  https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

  13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * [RFC6605][standards track]
  14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384 Y * [RFC6605[standards track]

  Definitions of this algorithms and considerations about key sizes are described in the RFC mentioned above:
  https://tools.ietf.org/html/rfc6605 - Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC

  1. Introduction

  ...

  This document defines the DNSKEY and RRSIG resource records (RRs) of
  two new signing algorithms: ECDSA (Elliptic Curve DSA) with curve
  P-256 and SHA-256, and ECDSA with curve P-384 and SHA-384. (A
  description of ECDSA can be found in [FIPS-186-3].) ...

  ...

  Current estimates are that ECDSA with curve P-256 has an approximate
  equivalent strength to RSA with 3072-bit keys. Using ECDSA with
  curve P-256 in DNSSEC has some advantages and disadvantages relative
  to using RSA with SHA-256 and with 3072-bit keys. ECDSA keys are
  much shorter than RSA keys; at this size, the difference is 256
  versus 3072 bits.

  So, possible key sizes are:

  • 256 bits - for ECDSA P-256
  • 384 bits - for ECDSA P-384

  Also it is said that ECDSA with 256-bit keys has an approximate equivalent strength to RSA with 3072-bit keys.

  Let's look on RSA algorithms which can be used with DNSSEC:
  https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

  8 RSA/SHA-256 RSASHA256 Y * [RFC5702][proposed standard]
  ...
  10 RSA/SHA-512 RSASHA512 Y * [RFC5702][proposed standard]

  https://tools.ietf.org/html/rfc5702 - Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC

  2.1. RSA/SHA-256 DNSKEY Resource Records

  ...

  For interoperability, as in [RFC3110], the key size of RSA/SHA-256
  keys MUST NOT be less than 512 bits and MUST NOT be more than 4096
  bits.

  2.2. RSA/SHA-512 DNSKEY Resource Records

  ...

  The key size of RSA/SHA-512 keys MUST NOT be less than 1024 bits and
  MUST NOT be more than 4096 bits.

  ...

  4. Deployment Considerations

  4.1. Key Sizes

  Apart from the restrictions in Section 2, this document will not
  specify what size of keys to use. That is an operational issue and
  depends largely on the environment and intended use. A good starting
  point for more information would be NIST SP 800-57 [NIST800-57].

  According to NIST SP 800-57:

  • ECDSA with 256-bit key is "equivalent" to RSA with 3072-bit key.
  • ECDSA with 384-bit key is "equivalent" to RSA with 7680-bit key.
  • Both ECDSA P-256 and ECDSA P-384 are Acceptable i.e. not known to be insecure both "through 2030" and "2031 and beyond".

  Conclusion

  It is impossible to use ECDSA with 1024-bit or 2048-bit keys for DNSSEC.
  We recommend to use ECDSA with 256-bit key (curve P-256) for both KSK (Key Signing Key) and ZSK (Zone Signing Key).

   

  Please leave a comment if you have additional questions. 

  0

  Comment actions Permalink

Please sign in to leave a comment.