[Dnssec-deployment] KSK bytes

Simon Arlott simon at arlott.org
Wed May 4 07:25:52 EDT 2011


On Wed, May 4, 2011 11:11, Jan-Piet Mens wrote:
> I mentioned this the other day:
>
>> I tried to submit a 4096 bit KSK today and a DNSKEY RR, and the
>> registrar's software issued an error message: "we don't support
>> DNSKEY RR which are longer than 500 bytes".
>
> According to our registrar (KeySystems), Afilias doesn't currently
> support KSK sizes of > 2048 bits (i.e. DNSKEY RR with more than 500
> bytes length) for the .ORG TLD.

.ORG accepts DS RRs, not DNSKEY RRs - therefore there is no restriction
.COM and .NET also accept DS RRs

.EU only accepts DNSKEY RRs and the restriction is greater than that
required for a 4096 bit key.

HEXONET used to have a DNSKEY restriction of 500 bytes but they have
increased it at least enough for 4096 bit keys.

GoDaddy support 4096 bit keys in .EU too.

-- 
Simon Arlott


More information about the Dnssec-deployment mailing list