[dns-operations] .NET Zone DNSSEC Operational Update -- ZSK length change

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jul 10 15:24:18 UTC 2019 

> 
> 
> 
> On Jul 9, 2019, at 10:11 PM, Wessels, Duane via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> Verisign is in the process of increasing the size and strength of
> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
> it operates.  As part of this process, the ZSK for the .NET zone
> will be increased in size from 1024 to 1280 bits.
> 
> On July 10, 2019 the 1280 bit ZSK will be pre-published in the .NET
> zone.  On July 15, the .NET zone will be signed with the 1280 bit
> ZSK.  On July 20, the 1024 bit ZSK will be removed from the zone.
> 
> We do not anticipate any problems from this upgrade.  In accordance
> with our normal operating procedures we have a rollback process
> should it become necessary to revert to the 1024 bit ZSK.

Thanks for that, may it go it go as smoothly as expected!  It would
be great to see a similar update (or a switch to algorithm 13) made
by more TLD operators.

Presently the TLD ZSK age in quarters (90 day quanta, rounded down)
and RSA bit size frequencies are:

 tlds | age in quarters | rsa bits 
------+-----------------+----------
    1 |               0 |     1024
    7 |               4 |     1024
   14 |               5 |     1024
  688 |               6 |     1024
    6 |               6 |     1152
    1 |               3 |     1280
  650 |               6 |     1280
    2 |               0 |     2048
    1 |               1 |     2048
    1 |               2 |     2048
  155 |               6 |     2048
    1 |               6 |     4096

My data only goes back to Oct-2017, so the 6-quarter number is only
a lower-bound, so the 6 quarter data points are likely in many cases
older.  Updates would be especially welcome for the 688 TLDs with
"aging" 1024-bit ZSKs.

For comparison, the TLD KSK RSA ages and bit size frequencies are:

 tlds | age in quarters | rsa bits 
------+-----------------+----------
    1 |               6 |     1024
    6 |               6 |     1280
    2 |               0 |     2048
    1 |               2 |     2048
    1 |               3 |     2048
    7 |               4 |     2048
   14 |               5 |     2048
 1334 |               6 |     2048
    1 |               0 |     4096
    1 |               1 |     4096

Here, the keys are primarily 2048-bit and up, and should not
need frequent replacement, but there is still one TLD with
an aging 1024-bit KSK, and 6 with 1280-bit keys that should
arguably still be rotated more frequently than every 630+ days:

           tld            | age in quarters | rsa bits 
--------------------------+-----------------+----------
 kg                       |               6 |     1024
 bom                      |               6 |     1280
 final                    |               6 |     1280
 globo                    |               6 |     1280
 natura                   |               6 |     1280
 rio                      |               6 |     1280
 uol                      |               6 |     1280

That said, 118 ccTLDs, 22 IDN TLDs and "aero" are yet to be signed
at all. Would be great to see more progress on that front as well.
[ 130 ccTLDs, 130 IDN TLDs and 1129 ASCII gTLDs are signed ]

-- 
	Viktor.

More information about the dns-operations mailing list