Merge branch 'u/fanf2/rsa-1024-delenda-est' into 'master'

Use 2048 bits as the default ZSK RSA key size in dnssec-keygen

Closes #1097

See merge request isc-projects/bind9!2055

CHANGES

@@ -1,3 +1,6 @@
+5250.	[func]		The default size for RSA keys is now 2048 bits,
+			for both ZSKs and KSKs. [GL #1097]
+
 5249.	[bug]		Fix a possible underflow in recursion clients
 			statistics when hitting recursive clients
 			soft quota. [GL #1067]

bin/dnssec/dnssec-keygen.c

@@ -554,11 +554,7 @@ main(int argc, char **argv) {
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
-				if ((kskflag & DNS_KEYFLAG_KSK) != 0) {
+				size = 2048;
-					size = 2048;
-				} else {
-					size = 1024;
-				}
 				if (verbose > 0) {
 					fprintf(stderr, "key size not "
 							"specified; defaulting"

bin/dnssec/dnssec-keygen.docbook

@@ -176,10 +176,8 @@
 	  </para>
 	  <para>
 	    If the key size is not specified, some algorithms have
-	    pre-defined defaults.  For example, RSA keys for use as
+	    pre-defined defaults.  For instance, RSA keys have a default
-	    DNSSEC zone signing keys have a default size of 1024 bits;
+	    size of 2048 bits.
-	    RSA keys for use as key signing keys (KSKs, generated with
-	    <option>-f KSK</option>) default to 2048 bits.
 	  </para>
 	</listitem>
       </varlistentry>