[dns-operations] .ARPA Zone DNSSEC Operational Update -- ZSK length change
arsen.stasic at univie.ac.at
Mon Jul 15 12:29:22 UTC 2019
Thanks for clarification!
I wasn't aware of this difference and how it affects responses, but now it
absolutely makes sense to me.
* Wessels, Duane <dwessels at verisign.com> [2019-07-11 17:14 (+0000)]:
>Whereas ARPA uses NSEC, .NET uses NSEC3. The key length was selected to keep responses below fragmentation limits.
>> On Jul 11, 2019, at 12:35 AM, Arsen STASIC <arsen.stasic at univie.ac.at> wrote:
>> Hi Duane,
>> why are you going to increase .NET KSK just to 1280 bits and not to 2048 bits as in .ARPA?
>> * Wessels, Duane <dwessels at verisign.com> [2019-07-10 02:12 (+0000)]:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> Verisign is in the process of increasing the size and strength of
>>> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
>>> it operates. As part of this process, the ZSK for the .ARPA zone
>>> will be increased in size from 1024 to 2048 bits.
>>> On July 11, 2019 the 2048 bit ZSK will be pre-published in the .ARPA
>>> zone. On July 21, the .ARPA zone will be signed with the 2048 bit
>>> ZSK. On August 10, the 1024 bit ZSK will be removed from the zone.
>>> We do not anticipate any problems from this upgrade. In accordance
>>> with our normal operating procedures we have a rollback process
>>> should it become necessary to revert to the 1024 bit ZSK.
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (GNU/Linux)
>>> -----END PGP SIGNATURE-----
More information about the dns-operations