[dns-operations] .ARPA Zone DNSSEC Operational Update -- ZSK length change

Arsen STASIC arsen.stasic at univie.ac.at
Thu Jul 11 07:35:22 UTC 2019

Hi Duane,

why are you going to increase .NET KSK just to 1280 bits and not 
to 2048 bits as in .ARPA?


* Wessels, Duane <dwessels at verisign.com> [2019-07-10 02:12 (+0000)]:
>Hash: SHA256
>Verisign is in the process of increasing the size and strength of
>the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>it operates.  As part of this process, the ZSK for the .ARPA zone
>will be increased in size from 1024 to 2048 bits.
>On July 11, 2019 the 2048 bit ZSK will be pre-published in the .ARPA
>zone.  On July 21, the .ARPA zone will be signed with the 2048 bit
>ZSK.  On August 10, the 1024 bit ZSK will be removed from the zone.
>We do not anticipate any problems from this upgrade.  In accordance
>with our normal operating procedures we have a rollback process
>should it become necessary to revert to the 1024 bit ZSK.
>Version: GnuPG v2.0.22 (GNU/Linux)

More information about the dns-operations mailing list