On 28 Mar 2014, at 9:06, Phillip Hallam-Baker <[email protected]> wrote:
> Therefore ICANN needs to sign the root zone with 2048 before we consider it > signed. End of story. Small point of clarity: the only key that ICANN maintains is the 2048 bit KSK, and the only signatures ICANN makes with it are over the DNSKEY RRSet. The 1024 bit ZSKs and signatures made by those keys are handled exclusively by the Root Zone Maintainer (Verisign). It's not clear to me that any changes would be required at ICANN to accommodate 2048 bit ZSKs. As I recall, every KSR that is submitted for processing at a ceremony is carefully tested in dry runs before the date anyway, so even the existing QA could continue unchanged. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
