[Dnssec-deployment] KSK bytes
simon at arlott.org
Wed May 4 07:25:52 EDT 2011
On Wed, May 4, 2011 11:11, Jan-Piet Mens wrote:
> I mentioned this the other day:
>> I tried to submit a 4096 bit KSK today and a DNSKEY RR, and the
>> registrar's software issued an error message: "we don't support
>> DNSKEY RR which are longer than 500 bytes".
> According to our registrar (KeySystems), Afilias doesn't currently
> support KSK sizes of > 2048 bits (i.e. DNSKEY RR with more than 500
> bytes length) for the .ORG TLD.
.ORG accepts DS RRs, not DNSKEY RRs - therefore there is no restriction
.COM and .NET also accept DS RRs
.EU only accepts DNSKEY RRs and the restriction is greater than that
required for a 4096 bit key.
HEXONET used to have a DNSKEY restriction of 500 bytes but they have
increased it at least enough for 4096 bit keys.
GoDaddy support 4096 bit keys in .EU too.
More information about the Dnssec-deployment