[Dnssec-deployment] KSK bytes

Simon Arlott simon at arlott.org
Wed May 4 07:25:52 EDT 2011

On Wed, May 4, 2011 11:11, Jan-Piet Mens wrote:
> I mentioned this the other day:
>> I tried to submit a 4096 bit KSK today and a DNSKEY RR, and the
>> registrar's software issued an error message: "we don't support
>> DNSKEY RR which are longer than 500 bytes".
> According to our registrar (KeySystems), Afilias doesn't currently
> support KSK sizes of > 2048 bits (i.e. DNSKEY RR with more than 500
> bytes length) for the .ORG TLD.

.ORG accepts DS RRs, not DNSKEY RRs - therefore there is no restriction
.COM and .NET also accept DS RRs

.EU only accepts DNSKEY RRs and the restriction is greater than that
required for a 4096 bit key.

HEXONET used to have a DNSKEY restriction of 500 bytes but they have
increased it at least enough for 4096 bit keys.

GoDaddy support 4096 bit keys in .EU too.

Simon Arlott

More information about the Dnssec-deployment mailing list