@lanodan @shaft This thread might be of interest to you: https://mailarchive.ietf.org/arch/msg/dnsop/3hzGyV9LGnUpw0ncFudWdQ2sZvc/ My understanding of the current trends and global points of view is that after RSA 2048 it is better to focus energy on switching to elliptic curves based algorithms and just shield away from RSA completely. For both reasons on size consequences of what is exchanged as DNS packets, and for fears of strength against quantum computing.