OK, thanks. Just making sure I was not missing something obvious.
-----Original Message-----
From: "libor.peltan" [libor.peltan(a)nic.cz]
Date: 11/29/2018 04:33 AM
To: knot-dns-users(a)lists.nic.cz
Subject: Re: [knot-dns-users] Key sizes with ECDSA
Hi Full Name,
indeed, this is not possible. The ECC and EDD algorithm families always
stick to one key size for any algorithm. You can't have your KSK and ZSK
with different algorithms.
On the other hand, this is no big deal. Those algorithms are considered
safe enough even with small keys, so you can choose just e.g. ECDSA256
and profit from having small signatures. You can also think of using
single-type signing scheme.
BR,
Libor
Dne 28.11.18 v 22:58 Full Name napsal(a):
A policy section in knot.conf would contain (among
other things) an algorithm specification and (optionally) the KSK and ZSK keys sizes. This
works fine for RSA. Now imagine that I want to establish a policy with ECC keys for both
KSKs and ZSKs. However, I might want for the KSKs to be 384-bit keys, and for the ZSKs to
be 256-bit keys. Can a policy be created in Knot to do so? It would seem that, given that
the algorithm specification for NIST elliptic curves includes both the curve and digest
data, the key size specifications do not apply here - i.e. both KSKs and ZSKs will
necessarily use the same curve, and therefore the same key size. Is this correct?
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users