[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change
dwessels at verisign.com
Mon Aug 5 15:56:35 UTC 2019
> On Aug 4, 2019, at 10:00 AM, Matt Nordhoff <lists at mn0.us> wrote:
> On Wed, Jul 10, 2019 at 2:13 AM Wessels, Duane via dns-operations
> <dns-operations at dns-oarc.net> wrote:
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates. As part of this process, the ZSK for the .NET zone
>> will be increased in size from 1024 to 1280 bits.
>> On July 10, 2019 the 1280 bit ZSK will be pre-published in the .NET
>> zone. On July 15, the .NET zone will be signed with the 1280 bit
>> ZSK. On July 20, the 1024 bit ZSK will be removed from the zone.
>> We do not anticipate any problems from this upgrade. In accordance
>> with our normal operating procedures we have a rollback process
>> should it become necessary to revert to the 1024 bit ZSK.
> Is this going to be rolled back? The 1280-bit ZSK is in active use, as
> far as I can tell, but the 1024-bit ZSK hasn't been removed from the
> zone. (And the current DNSKEY RRSIG expires more than a week from
We're not aware of any need to roll back at this time. The old 1024-bit ZSK
is still in a post-publish state, but is not active. That old ZSK will remain
post-published until the end of September, just in case there is a need to roll back.
The DNSKEY RRSIG is generated by the KSK, of course. Its expiration values are as
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4675 bytes
Desc: not available
More information about the dns-operations