[dns-operations] [Ext] .NET Zone DNSSEC Operational Update -- ZSK length change
paul.hoffman at icann.org
Sun Aug 4 22:11:12 UTC 2019
On Aug 4, 2019, at 2:33 PM, Doug Barton <dougb at dougbarton.email> wrote:
> On 2019-07-09 7:11 PM, Wessels, Duane via dns-operations wrote:
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates. As part of this process, the ZSK for the .NET zone
>> will be increased in size from 1024 to 1280 bits.
> Do you have any references on why 1280 bits? I'm not looking to criticize, hoping to learn something. :)
See RFC 3766 <https://tools.ietf.org/html/rfc3766>. Going from RSA 1024 to RSA 1280 gets you about 10 extra bits of equivalent symmetric strength, meaning it takes about 1000 more effort.
More information about the dns-operations