[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change

Wessels, Duane dwessels at verisign.com
Mon Aug 5 15:56:35 UTC 2019

> On Aug 4, 2019, at 10:00 AM, Matt Nordhoff <lists at mn0.us> wrote:
> On Wed, Jul 10, 2019 at 2:13 AM Wessels, Duane via dns-operations
> <dns-operations at dns-oarc.net> wrote:
>> All,
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates.  As part of this process, the ZSK for the .NET zone
>> will be increased in size from 1024 to 1280 bits.
>> On July 10, 2019 the 1280 bit ZSK will be pre-published in the .NET
>> zone.  On July 15, the .NET zone will be signed with the 1280 bit
>> ZSK.  On July 20, the 1024 bit ZSK will be removed from the zone.
>> We do not anticipate any problems from this upgrade.  In accordance
>> with our normal operating procedures we have a rollback process
>> should it become necessary to revert to the 1024 bit ZSK.
>> DW
> Is this going to be rolled back? The 1280-bit ZSK is in active use, as
> far as I can tell, but the 1024-bit ZSK hasn't been removed from the
> zone. (And the current DNSKEY RRSIG expires more than a week from
> now!)


We're not aware of any need to roll back at this time.  The old 1024-bit ZSK
is still in a post-publish state, but is not active.  That old ZSK will remain
post-published until the end of September, just in case there is a need to roll back.

The DNSKEY RRSIG is generated by the KSK, of course.  Its expiration values are as


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4675 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190805/666bb3e5/attachment.bin>

More information about the dns-operations mailing list