[Botan-devel] DSA p-bits check

Rickard Bellgrim rickard.bellgrim at iis.se
Fri May 28 10:20:02 EDT 2010


> Yes you're right. Fixed.

Thanks

> In the meantime, you can work around this by explicitly specifying
> qbits to be the right size.
> 
> (Also I can't say using 768 bit DSA keys is a very good idea anymore)

The current support for DSA in DNSSEC is based on RFC2536 from year 1999. 

But an attempt was made to add support for DSA/SHA2, but that one has expired.
http://tools.ietf.org/html/draft-hoffman-dnssec-dsa-sha2-00

Another problem is that PKCS#11 only accept sizes between 512 and 1024 bits (for prime p). It has not even been fixed in the new draft for version 2.30. And no support for SHA2.

Luckily, DSA is not commonly used. And focus is probably to get ECDSA into DNSSEC.

// Rickard


More information about the botan-devel mailing list