Use 2048 bits as the default ZSK RSA key size in dnssec-keygen

2025-08-30 14:07:59 +00:00 · 2019-06-19 11:31:43 +01:00
parent af7b462b30
commit 24f23e7fad
2 changed files with 3 additions and 9 deletions
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -554,11 +554,7 @@ main(int argc, char **argv) {
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
-				if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
-					size = 2048;
-				} else {
-					size = 1024;
-				}
+				size = 2048;
 				if (verbose > 0) {
 					fprintf(stderr, "key size not "
 							"specified; defaulting"
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -176,10 +176,8 @@
 	  </para>
 	  <para>
 	    If the key size is not specified, some algorithms have
-	    pre-defined defaults.  For example, RSA keys for use as
-	    DNSSEC zone signing keys have a default size of 1024 bits;
-	    RSA keys for use as key signing keys (KSKs, generated with
-	    <option>-f KSK</option>) default to 2048 bits.
+	    pre-defined defaults.  For instance, RSA keys have a default
+	    size of 2048 bits.
 	  </para>
 	</listitem>
      </varlistentry>