[dns-operations] [Ext] .NET Zone DNSSEC Operational Update -- ZSK length change

Paul Hoffman paul.hoffman at icann.org
Sun Aug 4 22:11:12 UTC 2019

On Aug 4, 2019, at 2:33 PM, Doug Barton <dougb at dougbarton.email> wrote:
> On 2019-07-09 7:11 PM, Wessels, Duane via dns-operations wrote:
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates.  As part of this process, the ZSK for the .NET zone
>> will be increased in size from 1024 to 1280 bits.
> Do you have any references on why 1280 bits? I'm not looking to criticize, hoping to learn something.  :)

See RFC 3766 <https://tools.ietf.org/html/rfc3766>. Going from RSA 1024 to RSA 1280 gets you about 10 extra bits of equivalent symmetric strength, meaning it takes about 1000 more effort.

--Paul Hoffman

More information about the dns-operations mailing list