I'd support Davey's idea to move ECDSA or ED25519 based algorithm to have better protection. It also contribute minimizing UDP fragmentation and TCP fallback. It has been shown in the case of .BR algorithm migration which was presented by NIC.BR people in Madrid ICANN meeting. I understand it may not appropriate to schedule algorithm rollover in the next KSK rollover. But it may be essential that ICANN will announce that algorithm rollover may be performed in the second-next (KSK-2023?) rollver as well and that ICANN encourages people to be ready for efficient algorthm. -- Akira Kato From: Davey Song <songlinjian@gmail.com> Subject: Re: [RSSAC Caucus] INPUT REQUESTED: Proposal for Future Root Zone KSK Rollovers Date: Mon, 16 Dec 2019 11:34:05 +0800
then considerations should be proposed for using a longer KSK key length of 3072-bit RSA.
Larger size of key of RSA is not a right direction. If people think the 2048-bit RSA is strong enough, larger size of key will only result large size of DNSKEY and the response. If you think we should strengthen it, why not switch to ECC give a reasonable timeline in future.
Davey