[Dnssec-deployment] .gov 2048bit ZSK to 1024 bit ZSK ?

Richard Lamb richard.lamb at icann.org
Wed Mar 17 14:29:40 EDT 2010 

Thanks Eric.  I just thought the original .gov spec was 2048+2048 but I guess I have just been too busy to follow.  Ill make sure to check the wonderful secspider more often ;-)

$ dig +dnssec -t dnskey gov

; <<>> DiG 9.6.0 <<>> +dnssec -t dnskey gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8345
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;gov.                           IN      DNSKEY

;; ANSWER SECTION:
gov.                    84452   IN      DNSKEY  256 3 7 AwEAAaQ6vDoHd2QDRBLwB+n63RxnmJExvIcOz7uv9gM+l8QSMAJTTCDp qJ8R+8UfYs97cn6LM3cT3kcl9V0GnjljNzNMk39W11Ej7htNcbf4u1n5 z2e4WsnpjQJJmKoWv2FORIfJmLKbxzGILSK13mrDUETj9onhdtOsjkhc K/7S+h1d
gov.                    84452   IN      DNSKEY  257 3 7 AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRd HTQyghWWbhzAZpnlZ16imXB4yFZjdbV2iM66KcgsESQMPEcIayDQJh6J Ei1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDFdmsSwChR McORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7 rf08l3QlgHEuxclTTdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcU CeVm4Hf2aM8=
gov.                    84452   IN      DNSKEY  256 3 7 AwEAAZzsQ4vEhGwWTdbjdK7cl4hk8QI/Cvf9jxGqsee7z8EIbxlGflhb GSxoeTob9WYP4pzewLqx8+xfIxmyqdXxBA/qMrxTeyiexm4gNCHUM+3X vxXhHRy61oO1UOclg9CqhvmMh2sqwtvbdvIoOIvF1aTL1GnGK9ZHl1a3 04NBaZ0F9ly2dMva+iNuKw8G9FSJzSCdsgmf+5MorOKljOdFvJChRkfX RayLFt/dgUyjQ2v1hytyp/2Cp6b6v+BPAQxSf9uQsCZLnWs2xy6VwaqU 3uKx+TUesUpzKkUZ+DREoLtHapKQI4nXIf21F5LRpgH/FI/AbNqjHdAr cxTuiEtBfe0=
gov.                    84452   IN      RRSIG   DNSKEY 7 1 86400 20100322111703 20100317111703 26079 gov. Cm/nMopsfrJeGSFZYebvRWep8oO9ZwbWAnVQi1vWzLsnh2rx5c6qECn5 zxccn+HDsWAH4KJzmolMGXez8b5UIqcybSndLgP9YARKF1wFVKPk4M/+ 0RKC89TihjD4o79Y9osdddvx5RlqQU8aR+EvAbAp0zRM2w5/dYAN+2NR gUzB+jxzbVLPTfZ1jqsu64OxH34rmAXkjj4CdxZCE6TmKmZNsCwmiV23 zT1swRJoH5Sus9RHoElPaVMd0K6fTUE/ialzjTNMRR8C+Cy7PIWcN49Y s6HCmHDffOPjfLylAPrkN6iNFCwndJ+LbYr8+t390uOdOaoHlfvcaWQs 5AcpUg==
gov.                    84452   IN      RRSIG   DNSKEY 7 1 86400 20100322111703 20100317111703 51998 gov. GFoDOCI+YqwkqabI3hWEx5G1YkNKp/k1bghLylHOzS3f6FkiXSkKYtfC skBjYPXMub3B5oxjsQxZutMfh9uToSADUKch2xn3dMkjRY02zMDZGYSL GfX9B4jlldD7ml7IuouLwLjbZCkduTiDt+D4GrbAEuMgwVRKIt/8pBGO IEg=

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 17 11:27:15 2010
;; MSG SIZE  rcvd: 1186



$ dig +dnssec -t dnskey ssa.gov

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13909
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ssa.gov.                       IN      DNSKEY

;; ANSWER SECTION:
ssa.gov.                34065   IN      DNSKEY  256 3 7 AwEAAe+hhiYaRFl8I9XUWuhwPFhoOZVwGxxcHGh9eP3s0Egm5FEkhttq R7ry2lou5E2wm8VylC8D6RajKBqVDbyOzz+FCPRVX/Qm3ZEdCNdVulys YwpX4mbA9xlv+M2nfo30H4IShcTa0LIv3CiudBueizAfXupKYosrBa23 8uoF9ycxeVT6X5CSUU+szMy5GvF2cCIa4C/608zl9w7cI1OqWKf02dwP acqKVoV352xRbLRyYb5RBNDt4LHjqW2PwnWowBMtLSEjpbWf2NPEz/Bd ddZPaWHzofHdqR1eXWolRLWdk/+1zFQmAls3HGgM3ysUMnRzAtkHRax9 CaaX1W0wrSc=
ssa.gov.                34065   IN      DNSKEY  257 3 7 AwEAAcfgMh7Uip8B15HPqdBkhAAglAwMsOdBV/eZ7QVo/KG09dquwMAr vG+uJkH64kP8eXbGrXwFWcGADOMDPWcitF4TlSGIrcCq3yW3k/U08VOw d4mUPaNKAE56J0m9rS9vLanVHsbub5JWMAQAprQr1yIMacM05q7bL8vt zFP7kyj7r4Y5TGXAHS6n94vbfBasnco1nrr2zgeoViFk3DoWNhazMcCX PIO7kLlXTOFqwCwv6hvR6kPkIvxAY+3Uf72q5rfyKwtvgB2v96ax07bk kIFHEGhoSXY3UVj5S46Dls3VyFGh5bVmjUp0Wm8H9N7bmVpfhjSuO1i9 pRLCU/CBo38=
ssa.gov.                34065   IN      DNSKEY  256 3 7 AwEAAcoWOwjqU6hagAWc0mE96cGwfuIOhDHzOXIZuBVwowq5gWI6qxOO 8geEG9ibO7DtYmSiSyQJATtPLFdIubBjb+wlKUe8o9uO/q1yyZT44Pl0 o8smp+YYVb5V3/rncIufdkyAdb7oNCk5kx6pd1Zhw394QJflzdXJCNNB rlQtilS1Rmu+UKQJyaE+yiKd6bdzzd9Sa6QtL6vIx39knXvV07Fvjo4Q OT4I8hcKkXvfwAdMR/r2LIY9yJbOmZgGGnO2mjhVAhmhpod/FllJBxPl ALOVMilT38R3QSQBJE7+GgXBtFnmulJhtjRSyEUv+zj3VJBiQ6smwpMZ cKuDuvtMDYM=
ssa.gov.                34065   IN      RRSIG   DNSKEY 7 2 36000 20110216153449 20100216153449 9167 ssa.gov. TQgHAtfOuPZ5wZ/Fr/7rigCML5sCGBpsbMz44jVpuJMz30X+NCdW0ebc qa4UyWLCyHLsG9mW+XJ1FssOdHiv9f3HZ/lBoWFpBjA+UBS2p+Ix3Ia/ MoH0mSb5K10WZ6A9vrx4eTdOhumVJ//QFk3Wdd2Bv/Aa/EsFm2ewy0op i17fvzPOrn27x8nWZp0SfxyzwrF5m4VDxVQF8BQ7z7dtkEAubQe88UQ9 FLMp3oSmKjapgMZXhGxxHOM9LD9aV4pLdY3Nm7Nr4qPZE2U7ClfrPf9/ bhLn16h3KRecBu920vwTAk2QVRt2pnnqbYD/ua5xSlIcia4kb3IOGSos s9y+Ag==
ssa.gov.                34065   IN      RRSIG   DNSKEY 7 2 36000 20110216153449 20100216153449 58158 ssa.gov. K+24cotG7YjIrzk6gS099siFVlleUBbXqwDNYybhhO40dE5Vp6dRCX9y bNZkWgouGZB5c7E4ls2jcIc5wyv1h2mDnS3IPInILKbwNyWES8fWl+HG fi4M32r0+AtjzbbI4bIBAReNI939TOrbZjzymr3uEVwt7p9P9Jy4ZHt3 2R4IfG7QnChJ7J1k2b9/1OheX3AWkL/KihaBdq06maSZ/yypCae54Gf2 ACRBUIXtMzLqD5muiY7IErzq4ruGKDFClsRuOiv//BKc1K2JL9y7+H/z xdMtFsDCjS/uSj36HdEMmeO9RLMug1mppNX5fek0guBQeY5UpEUa1mYb zkwxDQ==

;; Query time: 2 msec
;; SERVER: 192.101.186.214#53(192.101.186.214)
;; WHEN: Wed Mar 17 11:28:30 2010
;; MSG SIZE  rcvd: 1454

-----Original Message-----
From: Eric Osterweil [mailto:eoster at cs.ucla.edu] 
Sent: Wednesday, March 17, 2010 11:02 AM
To: Richard Lamb
Cc: dnssec-deployment at dnssec-deployment.org
Subject: Re: [Dnssec-deployment] .gov 2048bit ZSK to 1024 bit ZSK ?


On Mar 17, 2010, at 10:53 AM, Richard Lamb wrote:

> Anyone notice ZSK key sizes changing on .gov?

Hey Rick,

You can check .gov's key sizes and other info (as of Mon Mar 15
11:28:37 2010 UTC) at SecSpider:
	http://secspider.cs.ucla.edu/gov--zone.html


> Seems to aggravate the non-UDP-reassembling-router problems.  Never 
> really wanted to see www.ssa.gov anyway ;-)
> Nist.gov has 1024 bit ZSK.   Ssa.gov has 2048 bit ZSK

We haven't seen any PMTU availability problems from any pollers (also  
viewable at the above link).   :)

Eric

More information about the Dnssec-deployment mailing list