[dns-operations] Root Zone DNSSEC Operational Update -- ZSK length change

Richard Lamb richard.lamb at icann.org
Sat Oct 1 15:40:58 UTC 2016 

Congratulations!!  Having had numerous discussions with you on this topic, and been on the coding end, lest I say a good example of Verisign, ICANN, and community teamwork?  You led this well.
Rick


Sent from my iPhone

> On Oct 1, 2016, at 4:44 PM, Wessels, Duane <dwessels at verisign.com> wrote:
> 
> I'm pleased to announce that this change is now complete.  As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK.  Please contact myself of Verisign customer service (info at verisign-grs.com) if you observe any problems related to this change.
> 
> Duane W.
> 
> 
>> On Sep 29, 2016, at 11:15 AM, Wessels, Duane <dwessels at verisign.com> wrote:
>> 
>> A quick update on this change: A 2048-bit ZSK has been pre-published in the root zone as of September 20.  We are not aware of any issues related to the appearance of the larger key.
>> 
>> In less than 48 hours we will being publishing root zones signed with the 2048-bit ZSK.  I will send another note once that has happened.  If you observe any problems related to this change, please contact Verisign's customer service at info at verisign-grs.com.
>> 
>> Duane W.
>> 
>>> On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels at verisign.com> wrote:
>>> 
>>> As you may know, Verisign, in its role as the Root Zone Maintainer
>>> is also the operator of the root zone Zone Signing Key (ZSK).  Later
>>> this year, we will increase the size of the ZSK from 1024-bits to
>>> 2048-bits.
>>> 
>>> The root zone ZSK is normally rolled every calendar quarter, as per
>>> our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1]
>>> The ZSK public keys are signed at quarterly key signing ceremonies
>>> by ICANN in its role as the IANA Functions Operator.
>>> 
>>> On September 20, 2016 the 2048-bit ZSK will be pre-published in the
>>> root zone, following the standard ZSK rollover procedure.  We intend
>>> to begin publishing root zones signed with the first 2048-bit ZSK
>>> on October 1, 2016.
>>> 
>>> Some details of the ZSK size transition have recently been presented
>>> at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2]  If you
>>> have any questions or concerns, please feel free to contact us at
>>> zms at verisign.com.
>>> 
>>> Please feel free to forward this message to anyone who might not have
>>> seen it here.
>>> 
>>> [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf
>>> [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-change.pdf
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list