Root Zone DNSSEC Operational Update -- ZSK length change
As you may know, Verisign, in its role as the Root Zone Maintainer is also the operator of the root zone Zone Signing Key (ZSK). Later this year, we will increase the size of the ZSK from 1024-bits to 2048-bits. The root zone ZSK is normally rolled every calendar quarter, as per our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1] The ZSK public keys are signed at quarterly key signing ceremonies by ICANN in its role as the IANA Functions Operator. On September 20, 2016 the 2048-bit ZSK will be pre-published in the root zone, following the standard ZSK rollover procedure. We intend to begin publishing root zones signed with the first 2048-bit ZSK on October 1, 2016. Some details of the ZSK size transition have recently been presented at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2] If you have any questions or concerns, please feel free to contact us at zms@verisign.com. Please feel free to forward this message to anyone who might not have seen it here. [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-ch...
A quick update on this change: A 2048-bit ZSK has been pre-published in the root zone as of September 20. We are not aware of any issues related to the appearance of the larger key. In less than 48 hours we will being publishing root zones signed with the 2048-bit ZSK. I will send another note once that has happened. If you observe any problems related to this change, please contact Verisign's customer service at info@verisign-grs.com. Duane W.
On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels@verisign.com> wrote:
As you may know, Verisign, in its role as the Root Zone Maintainer is also the operator of the root zone Zone Signing Key (ZSK). Later this year, we will increase the size of the ZSK from 1024-bits to 2048-bits.
The root zone ZSK is normally rolled every calendar quarter, as per our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1] The ZSK public keys are signed at quarterly key signing ceremonies by ICANN in its role as the IANA Functions Operator.
On September 20, 2016 the 2048-bit ZSK will be pre-published in the root zone, following the standard ZSK rollover procedure. We intend to begin publishing root zones signed with the first 2048-bit ZSK on October 1, 2016.
Some details of the ZSK size transition have recently been presented at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2] If you have any questions or concerns, please feel free to contact us at zms@verisign.com.
Please feel free to forward this message to anyone who might not have seen it here.
[1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-ch...
I'm pleased to announce that this change is now complete. As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK. Please contact myself of Verisign customer service (info@verisign-grs.com) if you observe any problems related to this change. Duane W.
On Sep 29, 2016, at 11:15 AM, Wessels, Duane <dwessels@verisign.com> wrote:
A quick update on this change: A 2048-bit ZSK has been pre-published in the root zone as of September 20. We are not aware of any issues related to the appearance of the larger key.
In less than 48 hours we will being publishing root zones signed with the 2048-bit ZSK. I will send another note once that has happened. If you observe any problems related to this change, please contact Verisign's customer service at info@verisign-grs.com.
Duane W.
On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels@verisign.com> wrote:
As you may know, Verisign, in its role as the Root Zone Maintainer is also the operator of the root zone Zone Signing Key (ZSK). Later this year, we will increase the size of the ZSK from 1024-bits to 2048-bits.
The root zone ZSK is normally rolled every calendar quarter, as per our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1] The ZSK public keys are signed at quarterly key signing ceremonies by ICANN in its role as the IANA Functions Operator.
On September 20, 2016 the 2048-bit ZSK will be pre-published in the root zone, following the standard ZSK rollover procedure. We intend to begin publishing root zones signed with the first 2048-bit ZSK on October 1, 2016.
Some details of the ZSK size transition have recently been presented at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2] If you have any questions or concerns, please feel free to contact us at zms@verisign.com.
Please feel free to forward this message to anyone who might not have seen it here.
[1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf [2] https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-ch...
I'm pleased to announce that this change is now complete. As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK. Please contact myself of Verisign customer service (info@verisign-grs.com) if you observe any problems related to this change.
Duane W. I emailed you but got a 'host not found' error. Does that count as a
On 10/01/2016 06:36 AM, Wessels, Duane wrote: problem related to the change.....? Lol
On Oct 1, 2016, at 11:29 AM, Mike <mike-nanog@tiedyenetworks.com> wrote:
On 10/01/2016 06:36 AM, Wessels, Duane wrote:
I'm pleased to announce that this change is now complete. As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK. Please contact myself of Verisign customer service (info@verisign-grs.com) if you observe any problems related to this change.
Duane W. I emailed you but got a 'host not found' error. Does that count as a problem related to the change.....?
Lol
Mike, I hope not but we should rule it out. I will follow up with you privately. Duane W.
participants (2)
-
Mike
-
Wessels, Duane