[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change
Wessels, Duane
dwessels at verisign.com
Mon Aug 5 15:56:35 UTC 2019
> On Aug 4, 2019, at 10:00 AM, Matt Nordhoff <lists at mn0.us> wrote:
>
> On Wed, Jul 10, 2019 at 2:13 AM Wessels, Duane via dns-operations
> <dns-operations at dns-oarc.net> wrote:
>> All,
>>
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates. As part of this process, the ZSK for the .NET zone
>> will be increased in size from 1024 to 1280 bits.
>>
>> On July 10, 2019 the 1280 bit ZSK will be pre-published in the .NET
>> zone. On July 15, the .NET zone will be signed with the 1280 bit
>> ZSK. On July 20, the 1024 bit ZSK will be removed from the zone.
>>
>> We do not anticipate any problems from this upgrade. In accordance
>> with our normal operating procedures we have a rollback process
>> should it become necessary to revert to the 1024 bit ZSK.
>>
>> DW
>
> Is this going to be rolled back? The 1280-bit ZSK is in active use, as
> far as I can tell, but the 1024-bit ZSK hasn't been removed from the
> zone. (And the current DNSKEY RRSIG expires more than a week from
> now!)
Matt,
We're not aware of any need to roll back at this time. The old 1024-bit ZSK
is still in a post-publish state, but is not active. That old ZSK will remain
post-published until the end of September, just in case there is a need to roll back.
The DNSKEY RRSIG is generated by the KSK, of course. Its expiration values are as
expected.
DW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4675 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190805/666bb3e5/attachment.bin>
More information about the dns-operations
mailing list