Root Zone DNSSEC Operational Update -- ZSK length change

Wessels, Duane dwessels at verisign.com
Sat Oct 1 13:36:13 UTC 2016


I'm pleased to announce that this change is now complete.  As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK.  Please contact myself of Verisign customer service (info at verisign-grs.com) if you observe any problems related to this change.

Duane W.

> On Sep 29, 2016, at 11:15 AM, Wessels, Duane <dwessels at verisign.com> wrote:
> 
> A quick update on this change: A 2048-bit ZSK has been pre-published in the root zone as of September 20.  We are not aware of any issues related to the appearance of the larger key.
> 
> In less than 48 hours we will being publishing root zones signed with the 2048-bit ZSK.  I will send another note once that has happened.  If you observe any problems related to this change, please contact Verisign's customer service at info at verisign-grs.com.
> 
> Duane W.
> 
>> On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels at verisign.com> wrote:
>> 
>> As you may know, Verisign, in its role as the Root Zone Maintainer
>> is also the operator of the root zone Zone Signing Key (ZSK).  Later
>> this year, we will increase the size of the ZSK from 1024-bits to
>> 2048-bits.
>> 
>> The root zone ZSK is normally rolled every calendar quarter, as per
>> our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1]
>> The ZSK public keys are signed at quarterly key signing ceremonies
>> by ICANN in its role as the IANA Functions Operator.
>> 
>> On September 20, 2016 the 2048-bit ZSK will be pre-published in the
>> root zone, following the standard ZSK rollover procedure.  We intend
>> to begin publishing root zones signed with the first 2048-bit ZSK
>> on October 1, 2016.
>> 
>> Some details of the ZSK size transition have recently been presented
>> at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2]  If you
>> have any questions or concerns, please feel free to contact us at
>> zms at verisign.com.
>> 
>> Please feel free to forward this message to anyone who might not have
>> seen it here.
>> 
>> [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf
>> [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-change.pdf
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161001/9633269f/attachment.sig>


More information about the NANOG mailing list