[dns-operations] .COM Zone DNSSEC Operational Update -- ZSK length change

Matt Nordhoff lists at mn0.us
Thu Jan 2 22:15:10 UTC 2020


On Thu, Jan 2, 2020 at 9:38 PM Wessels, Duane <dwessels at verisign.com> wrote:
> > On Dec 28, 2019, at 8:50 AM, Matt Nordhoff <lists at mn0.us> wrote:
> > On Mon, Oct 14, 2019 at 6:34 PM Wessels, Duane via dns-operations
> > <dns-operations at dns-oarc.net> wrote:
> >> All,
> >>
> >> Verisign is in the process of increasing the size and strength of
> >> the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
> >> it operates.  As part of this process, the ZSK for the .COM zone will
> >> be increased in size from 1024 to 1280 bits.
> >>
> >> On October 10, 2019 the 1280 bit ZSK was pre-published in the .COM zone.
> >> On October 15, we plan to sign the .COM zone with the 1280 bit ZSK.
> >> On October 20, we plan to remove the old 1024 bit ZSK from the zone.
> >
> > D'y'all have an updated ETA on step 3?
> >
>
> Matt,
>
> My apologies for the incorrect information in the initial message.  The old
> 1024-bit ZSK was post-published for an extended period of time.  It was removed
> as of Jan 1.
>
> DW

[insert GitHub party popper emoji]

That's great news. Congratulations on completing the upgrade! :-)

Once the RRSIG on the previous DNSKEY record set expires in 9 days,
1024-bit RSA on Verisign-operated TLDs will be absolutely dead and
buried. :-)
-- 
Matt Nordhoff



More information about the dns-operations mailing list