Merge branch 'u/fanf2/rsa-1024-delenda-est' into 'master'

Use 2048 bits as the default ZSK RSA key size in dnssec-keygen Closes #1097 See merge request isc-projects/bind9!2055
2025-08-31 14:35:26 +00:00 · 2019-06-19 23:31:48 -04:00
parent af7b462b30 ac04d7b348
commit 62fd8827c7
3 changed files with 6 additions and 9 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+5250.	[func]		The default size for RSA keys is now 2048 bits,
+			for both ZSKs and KSKs. [GL #1097]
+
 5249.	[bug]		Fix a possible underflow in recursion clients
 			statistics when hitting recursive clients
 			soft quota. [GL #1067]
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -554,11 +554,7 @@ main(int argc, char **argv) {
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
-				if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
-					size = 2048;
-				} else {
-					size = 1024;
-				}
+				size = 2048;
 				if (verbose > 0) {
 					fprintf(stderr, "key size not "
 							"specified; defaulting"
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -176,10 +176,8 @@
 	  </para>
 	  <para>
 	    If the key size is not specified, some algorithms have
-	    pre-defined defaults.  For example, RSA keys for use as
-	    DNSSEC zone signing keys have a default size of 1024 bits;
-	    RSA keys for use as key signing keys (KSKs, generated with
-	    <option>-f KSK</option>) default to 2048 bits.
+	    pre-defined defaults.  For instance, RSA keys have a default
+	    size of 2048 bits.
 	  </para>
 	</listitem>
      </varlistentry>