[dns-operations] Root Zone DNSSEC Operational Update -- ZSK length change

Wessels, Duane dwessels at verisign.com
Thu Sep 29 15:15:24 UTC 2016

A quick update on this change: A 2048-bit ZSK has been pre-published in the root zone as of September 20.  We are not aware of any issues related to the appearance of the larger key.

In less than 48 hours we will being publishing root zones signed with the 2048-bit ZSK.  I will send another note once that has happened.  If you observe any problems related to this change, please contact Verisign's customer service at info at verisign-grs.com.

Duane W.

> On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels at verisign.com> wrote:
> As you may know, Verisign, in its role as the Root Zone Maintainer
> is also the operator of the root zone Zone Signing Key (ZSK).  Later
> this year, we will increase the size of the ZSK from 1024-bits to
> 2048-bits.
> The root zone ZSK is normally rolled every calendar quarter, as per
> our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1]
> The ZSK public keys are signed at quarterly key signing ceremonies
> by ICANN in its role as the IANA Functions Operator.
> On September 20, 2016 the 2048-bit ZSK will be pre-published in the
> root zone, following the standard ZSK rollover procedure.  We intend
> to begin publishing root zones signed with the first 2048-bit ZSK
> on October 1, 2016.
> Some details of the ZSK size transition have recently been presented
> at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2]  If you
> have any questions or concerns, please feel free to contact us at
> zms at verisign.com.
> Please feel free to forward this message to anyone who might not have
> seen it here.
> [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf
> [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-change.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160929/cb377962/attachment.sig>

More information about the dns-operations mailing list