.ARPA Zone DNSSEC Operational Update -- ZSK length change

Wessels, Duane dwessels at verisign.com
Thu Jul 11 17:14:35 UTC 2019


Whereas ARPA uses NSEC, .NET uses NSEC3.  The key length was selected to keep responses below fragmentation limits.

DW


> On Jul 11, 2019, at 12:35 AM, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
> 
> Hi Duane,
> 
> why are you going to increase .NET KSK just to 1280 bits and not to 2048 bits as in .ARPA?
> 
> cheers
> -arsen
> 
> * Wessels, Duane <dwessels at verisign.com> [2019-07-10 02:12 (+0000)]:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> 
>> All,
>> 
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>> it operates.  As part of this process, the ZSK for the .ARPA zone
>> will be increased in size from 1024 to 2048 bits.
>> 
>> On July 11, 2019 the 2048 bit ZSK will be pre-published in the .ARPA
>> zone.  On July 21, the .ARPA zone will be signed with the 2048 bit
>> ZSK.  On August 10, the 1024 bit ZSK will be removed from the zone.
>> 
>> We do not anticipate any problems from this upgrade.  In accordance
>> with our normal operating procedures we have a rollback process
>> should it become necessary to revert to the 1024 bit ZSK.
>> 
>> DW
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>> 
>> iQEcBAEBCAAGBQJdJQifAAoJEGyZpGmowJiNxjcH/3a+ox9KyGAT5vnrcxfEYYIQ
>> X2iQ0dSEBCv9JPNwTnKkV2U2xzG3uZb6LHjq9tihtA4M04IaMvlLnZMUFUyGgzrl
>> ACvn6j9qCE0q7sgDGo/RNWXBsAd58mKgBVMMRCBR6AklDHVA+grEH2CwDwP0eGYZ
>> 8dy6Cf94jqXqiVDQIxoK31YhYFqNVRhZE4f72V+6lh1fg4GrsfXKeErYwQooxdYT
>> 91H9TmffWmEpG+eYdgWMOPPS+nsrDr/MAuSVD0t5hT8H/HrCo45MNxxskmwLg0Ni
>> QAHgy5Ao2jgJj6MkzZdwjldM8mn5YzMegiHUF9R5W5TRlnNm7uGTU32Irzu7b/8=
>> =lJK6
>> -----END PGP SIGNATURE-----
>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4675 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190711/4d673af3/attachment.bin>


More information about the dns-operations mailing list