[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change

Matt Nordhoff lists at mn0.us
Mon Aug 5 16:32:39 UTC 2019

On Mon, Aug 5, 2019 at 3:56 PM Wessels, Duane <dwessels at verisign.com> wrote:
> > On Aug 4, 2019, at 10:00 AM, Matt Nordhoff <lists at mn0.us> wrote:
> >
> > On Wed, Jul 10, 2019 at 2:13 AM Wessels, Duane via dns-operations
> > <dns-operations at dns-oarc.net> wrote:
> >> All,
> >>
> >> Verisign is in the process of increasing the size and strength of
> >> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
> >> it operates.  As part of this process, the ZSK for the .NET zone
> >> will be increased in size from 1024 to 1280 bits.
> >>
> >> On July 10, 2019 the 1280 bit ZSK will be pre-published in the .NET
> >> zone.  On July 15, the .NET zone will be signed with the 1280 bit
> >> ZSK.  On July 20, the 1024 bit ZSK will be removed from the zone.
> >>
> >> We do not anticipate any problems from this upgrade.  In accordance
> >> with our normal operating procedures we have a rollback process
> >> should it become necessary to revert to the 1024 bit ZSK.
> >>
> >> DW
> >
> > Is this going to be rolled back? The 1280-bit ZSK is in active use, as
> > far as I can tell, but the 1024-bit ZSK hasn't been removed from the
> > zone. (And the current DNSKEY RRSIG expires more than a week from
> > now!)
> Matt,
> We're not aware of any need to roll back at this time.  The old 1024-bit ZSK
> is still in a post-publish state, but is not active.  That old ZSK will remain
> post-published until the end of September, just in case there is a need to roll back.

Alright. Thank you for explaining. :-)

I asked because, in the hypothetical scenario of the 1024-bit key
being cracked by rich evildoers, it's a threat as long as it's in the
DNSKEY RRset, whether or not it's in active use. I was surprised it
was remaining longer than the old keys for .jobs and .name did.

I've kind of been waiting with bated breath since your presentation
last October. :-D

I had been starting to worry that the upgrade might have run into
difficulties, so I'm glad it's still going ahead.

> The DNSKEY RRSIG is generated by the KSK, of course.  Its expiration values are as
> expected.

Alright. I didn't mean to suggest anything was wrong. I'm just mindful
of expiration dates and their effect on whether an old record is truly

> DW

Thanks again for responding. :-)
Matt Nordhoff

More information about the dns-operations mailing list