[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change

Matt Nordhoff lists at mn0.us
Sun Aug 4 17:00:34 UTC 2019


On Wed, Jul 10, 2019 at 2:13 AM Wessels, Duane via dns-operations
<dns-operations at dns-oarc.net> wrote:
> All,
>
> Verisign is in the process of increasing the size and strength of
> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
> it operates.  As part of this process, the ZSK for the .NET zone
> will be increased in size from 1024 to 1280 bits.
>
> On July 10, 2019 the 1280 bit ZSK will be pre-published in the .NET
> zone.  On July 15, the .NET zone will be signed with the 1280 bit
> ZSK.  On July 20, the 1024 bit ZSK will be removed from the zone.
>
> We do not anticipate any problems from this upgrade.  In accordance
> with our normal operating procedures we have a rollback process
> should it become necessary to revert to the 1024 bit ZSK.
>
> DW

Is this going to be rolled back? The 1280-bit ZSK is in active use, as
far as I can tell, but the 1024-bit ZSK hasn't been removed from the
zone. (And the current DNSKEY RRSIG expires more than a week from
now!)



More information about the dns-operations mailing list