[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change

Wessels, Duane dwessels at verisign.com
Mon Aug 5 15:58:04 UTC 2019

> On Aug 4, 2019, at 2:33 PM, Doug Barton <dougb at dougbarton.email> wrote:
> On 2019-07-09 7:11 PM, Wessels, Duane via dns-operations wrote:
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates.  As part of this process, the ZSK for the .NET zone
>> will be increased in size from 1024 to 1280 bits.
> Do you have any references on why 1280 bits? I'm not looking to criticize, hoping to learn something.  :)


We settled on 1280 bits (with NSEC3 zones) so that the responses all still fit in a single unfragmented IPv6 packet.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4675 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190805/1fdbf555/attachment.bin>

More information about the dns-operations mailing list