The Digital Signature Standard (see Question 3.4.1) was originally proposed by NIST with a fixed 512-bit key size. After much criticism that this is not secure enough, especially for long-term security, NIST revised DSS to allow key sizes up to 1024 bits. In fact, even larger key sizes are now allowed in ANSI X9.31 [ANS98]. DSA is, at present, considered to be secure with 1024-bit keys.
DSA makes use of computation of discrete logarithms in certain subgroups in the finite field GF(p) for some prime p. The problem was first proposed for cryptographic use in 1989 by Schnorr [Sch90]. No efficient attacks have yet been reported on this form of the discrete logarithm problem.
Some researchers warned about the existence of "trapdoor" primes in DSA, which could enable a key to be easily broken. These trapdoor primes are relatively rare and easily avoided if proper key-generation procedures are followed [SB93].