[191875] in North American Network Operators' Group
Re: Root Zone DNSSEC Operational Update -- ZSK length change
daemon@ATHENA.MIT.EDU (Wessels, Duane)
Sat Oct 1 09:36:21 2016
X-Original-To: nanog@nanog.org
From: "Wessels, Duane" <dwessels@verisign.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sat, 1 Oct 2016 13:36:13 +0000
In-Reply-To: <626768A0-5D22-4B97-8EFC-174894B7F297@verisign.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_68EA5423-926E-49ED-A8F4-966399DF1D88
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
I'm pleased to announce that this change is now complete. As of 13:34 =
UTC on October 1, 2016 the root zone has been signed and published with =
a 2048-bit ZSK. Please contact myself of Verisign customer service =
(info@verisign-grs.com) if you observe any problems related to this =
change.
Duane W.
> On Sep 29, 2016, at 11:15 AM, Wessels, Duane <dwessels@verisign.com> =
wrote:
>=20
> A quick update on this change: A 2048-bit ZSK has been pre-published =
in the root zone as of September 20. We are not aware of any issues =
related to the appearance of the larger key.
>=20
> In less than 48 hours we will being publishing root zones signed with =
the 2048-bit ZSK. I will send another note once that has happened. If =
you observe any problems related to this change, please contact =
Verisign's customer service at info@verisign-grs.com.
>=20
> Duane W.
>=20
>> On Jul 28, 2016, at 3:37 PM, Wessels, Duane <dwessels@verisign.com> =
wrote:
>>=20
>> As you may know, Verisign, in its role as the Root Zone Maintainer
>> is also the operator of the root zone Zone Signing Key (ZSK). Later
>> this year, we will increase the size of the ZSK from 1024-bits to
>> 2048-bits.
>>=20
>> The root zone ZSK is normally rolled every calendar quarter, as per
>> our =E2=80=9CDNSSEC Practice Statement for the Root Zone ZSK =
operator.=E2=80=9D[1]
>> The ZSK public keys are signed at quarterly key signing ceremonies
>> by ICANN in its role as the IANA Functions Operator.
>>=20
>> On September 20, 2016 the 2048-bit ZSK will be pre-published in the
>> root zone, following the standard ZSK rollover procedure. We intend
>> to begin publishing root zones signed with the first 2048-bit ZSK
>> on October 1, 2016.
>>=20
>> Some details of the ZSK size transition have recently been presented
>> at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2] If you
>> have any questions or concerns, please feel free to contact us at
>> zms@verisign.com.
>>=20
>> Please feel free to forward this message to anyone who might not have
>> seen it here.
>>=20
>> [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf
>> [2] =
https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-=
change.pdf
>>=20
>=20
--Apple-Mail=_68EA5423-926E-49ED-A8F4-966399DF1D88
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCAAGBQJX77vNAAoJEGyZpGmowJiNO8MIALo8LxTH0Z0nLptgURL4DpDj
fOTxboiF0W5PE+f6/o/ITZHaDG99fUCFqbWjBM5g3zS3MFDhxzLhtoH3bB+3Ueh5
eGvSpCFyj7Oak7ja3eNQsRowpNCLCsJ++koai8OIV2Xoi+W9BIZ+s89tyiEtL3qP
+sWpyl5MOO200HPtOlfQCGwKQzlMpiBqMZLzcSPB/Nd4tt8pTKBNYl+600uJlqWo
o05V9UfdM6TsI/uu+qrW3DZEofpfFJ9e9qDxlsMhb1ea/ceVa/OXCUFWOfYMFfPl
k8cQHg33WDzMbXofokiAxj8FWacncKUMOtcszGTXrRi5AWs0X4gwHQLM+UzvylU=
=oMLl
-----END PGP SIGNATURE-----
--Apple-Mail=_68EA5423-926E-49ED-A8F4-966399DF1D88--
