mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

Use 2048 bits as the default ZSK RSA key size in dnssec-keygen

Browse Source
This commit is contained in:
Tony Finch
2019-06-19 11:31:43 +01:00
committed by Evan Hunt
parent af7b462b30
commit 24f23e7fad
2 changed files with 3 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bin/dnssec/dnssec-keygen.c
View File

@@ -554,11 +554,7 @@ main(int argc, char **argv) {
case DST_ALG_NSEC3RSASHA1: case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256: case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512: case DST_ALG_RSASHA512:
if ((kskflag & DNS_KEYFLAG_KSK) != 0) { size = 2048;
size = 2048;
} else {
size = 1024;
}
if (verbose > 0) { if (verbose > 0) {
fprintf(stderr, "key size not " fprintf(stderr, "key size not "
"specified; defaulting" "specified; defaulting"

6
bin/dnssec/dnssec-keygen.docbook
View File

@@ -176,10 +176,8 @@
</para> </para>
<para> <para>
If the key size is not specified, some algorithms have If the key size is not specified, some algorithms have
pre-defined defaults. For example, RSA keys for use as pre-defined defaults. For instance, RSA keys have a default
DNSSEC zone signing keys have a default size of 1024 bits; size of 2048 bits.
RSA keys for use as key signing keys (KSKs, generated with
<option>-f KSK</option>) default to 2048 bits.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>