[dns-operations] Root Zone DNSSEC Operational Update -- ZSK length change

Wessels, Duane dwessels at verisign.com
Mon Oct 3 14:22:43 UTC 2016


Thanks Rick!

It was indeed a great example of cooperation between ICANN and Verisign.  It took many joint meetings, calls, discussions, and tests to make this happen.  I'd like to publicly thank everyone at ICANN/IANA who helped along the way.

DW


> On Oct 1, 2016, at 11:40 AM, Richard Lamb <richard.lamb at icann.org> wrote:
> 
> Congratulations!!  Having had numerous discussions with you on this topic, and been on the coding end, lest I say a good example of Verisign, ICANN, and community teamwork?  You led this well.
> Rick
> 
> 
> Sent from my iPhone
> 
>> On Oct 1, 2016, at 4:44 PM, Wessels, Duane <dwessels at verisign.com> wrote:
>> 
>> I'm pleased to announce that this change is now complete.  As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK.  Please contact myself of Verisign customer service (info at verisign-grs.com) if you observe any problems related to this change.
>> 
>> Duane W.
>> 
>> 
>>> On Sep 29, 2016, at 11:15 AM, Wessels, Duane <dwessels at verisign.com> wrote:
>>> 
>>> A quick update on this change: A 2048-bit ZSK has been pre-published in the root zone as of September 20.  We are not aware of any issues related to the appearance of the larger key.
>>> 
>>> In less than 48 hours we will being publishing root zones signed with the 2048-bit ZSK.  I will send another note once that has happened.  If you observe any problems related to this change, please contact Verisign's customer service at info at verisign-grs.com.
>>> 
>>> Duane W.
>>> 
>>>> On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels at verisign.com> wrote:
>>>> 
>>>> As you may know, Verisign, in its role as the Root Zone Maintainer
>>>> is also the operator of the root zone Zone Signing Key (ZSK).  Later
>>>> this year, we will increase the size of the ZSK from 1024-bits to
>>>> 2048-bits.
>>>> 
>>>> The root zone ZSK is normally rolled every calendar quarter, as per
>>>> our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1]
>>>> The ZSK public keys are signed at quarterly key signing ceremonies
>>>> by ICANN in its role as the IANA Functions Operator.
>>>> 
>>>> On September 20, 2016 the 2048-bit ZSK will be pre-published in the
>>>> root zone, following the standard ZSK rollover procedure.  We intend
>>>> to begin publishing root zones signed with the first 2048-bit ZSK
>>>> on October 1, 2016.
>>>> 
>>>> Some details of the ZSK size transition have recently been presented
>>>> at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2]  If you
>>>> have any questions or concerns, please feel free to contact us at
>>>> zms at verisign.com.
>>>> 
>>>> Please feel free to forward this message to anyone who might not have
>>>> seen it here.
>>>> 
>>>> [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf
>>>> [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-change.pdf
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list