This is possibly somewhat academic given Jay's recent post to the effect that "we should do 2048-bit KSK because it is common practice", but... On 2011-06-09 18:04 , Don Stokes wrote:
I'd add the observation that for heavy DNS, fall back to TCP needs to be an absolute last resort.
I agree that DNS-via-TCP should be (designed to be) a rare occurrence, because it performs... poorly. Especially when used only after timeout-on-UDP. I'd definitely have a concern if the _Z_SK signatures were pushing regularly fetched RR+sigs over the de facto standard 1500-byte boundary, for the reasons that you list. But AFAIK everyone seems happy that the ZSK should be (much) smaller, and rolled frequently, and indeed that was one of the major motivations for the KSK/ZSK split. So few, if any, RR+sigs should be pushed over 1500-bytes by the ZSK signatures as I understand it. (Although I understand most/all will end up going over the historic 512-byte boundary.) But per the figures provided by Sebastian it's the: (a) (KS + ZS) key rollover time, where (b) the DNSKEY RR is fetched with all the pubkey/signatures, from (c) a > 1280-byte KSK that pushes the packet over the usually-designed-in "can pass 1500 bytes because the whole world is ethernet" limit, into the realms of could be UDP fragments, might not work, might need to retry as TCP. So not only should DNSKEY RRs be relatively infrequently on the wire (since they can be cached for relatively long TTL), but only DNSKEY RRs in certain rare situations (multiple key rollover), even with 2048-bit KSK, will end up big enough to be a problem. And anyone caught out by this will be caught out by dozens of other TLDs anyway, so will hopefully eventually get a clue that "the Internet is broken" is actually an issue close(r) to them. Ewen PS: Peter Gutmann is of course completely right that even at 1280-bits the KSK is by no means the weakest point to compromise. Many other points would be much easier to compromise. Including, eg, injecting faked data via a less-secure registrar (as one of the SSL CAs was compromised recently). However the KSK bit size is on the sticker on the outside, and easily measurable, so is likely to be a point of comparison. Security of authorised registrars is much harder to quantify/police.