From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 5 Dec 2019 10:16:53 +0000 (+0100)
Subject: Default key size 2048
X-Git-Tag: v9.15.7~27^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f9d45a5b880f7d68744aee845898b037dadaa98;p=thirdparty%2Fbind9.git

Default key size 2048

The default size for RSA keys is 2048 bits, for both ZSKs and KSKs.
---

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index e4e207758ce..604fd90f535 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -724,7 +724,7 @@ status=$((status+ret))
 #
 zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
 # The first keys are immediately published and activated.
 # Because lifetime > 0, retired timing is also set.
@@ -997,7 +997,7 @@ check_subdomain
 #
 zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
 # The first keys are immediately published and activated.
 # Because lifetime > 0, retired timing is also set.
@@ -1107,7 +1107,7 @@ status=$((status+ret))
 #
 zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
 # key_timings and key_states same as above.
 check_keys
@@ -1120,7 +1120,7 @@ dnssec_verify
 #
 zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
 # key_timings and key_states same as above.
 check_keys
@@ -1133,7 +1133,7 @@ dnssec_verify
 #
 zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
 # key_timings and key_states same as above.
 check_keys
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 1784b46be0d..373dec9cc06 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -395,10 +395,8 @@ dns_kasp_key_size(dns_kasp_key_t *key) {
 			if (size > 4096) {
 				size = 4096;
 			}
-		} else if (key->role & DNS_KASP_KEY_ROLE_KSK) {
-			size = 2048;
 		} else {
-			size = 1024;
+			size = 2048;
 		}
 		break;
 	case DNS_KEYALG_ECDSA256: