Skip to content
Go to file
Cannot retrieve contributors at this time
133 lines (87 sloc) 3.48 KB

Yeti Project Report: Big-ZSK Experiment (BGZSK)

Version: 1.0

Date: 2016-12-15


Yeti DNS System is a live testbed for Root DNS Server System:

In mid-2016, the Yeti project ran the Big ZSK (BGZSK) experiment, designed to test operating the Yeti root with a 2048-bit ZSK.

RSA 1024 is no longer recommended for cryptography. At some point the ZSK should be made longer. Common practice is to adopt 2048 bits keys.

VeriSign gave a presentation at the DNS-OARC 24th workshop, announcing that they will be increasing the root zone ZSK from 1024 bits to 2048 bits in 2016:

Yeti changed to RSA 2048 for ZSK and observed the results. The expectation was that while signed replies will be larger, it was unlikely that we would see increased truncation or fragmentation, as most replies would still be less than 1280 bytes.

Given that this was merely an extension of existing key length, and that the KSK was already signed with the same algorithm and key length, no lab test was required for this experiment.

This experiment did not require any specific changes on the part of the Yeti root operators or the Yeti resolver operators.

The BGZSK experiment proposal and more details were documented in Experiment-BGZSK1.

Experiment Protocol

The Yeti project uses an experiment protocol, documented in Experiment-Protocol2. The BGZSK experiment did not follow this protocol. Normally there are:

  1. Proposal
  2. Lab Test
  3. Yeti Test
  4. Report of Findings

However, in the case of the BGZSK we decided that since the mode of operation was so standard that a lab test would not be necessary. So for the BGZSK experiment we simply followed:

  1. Proposal
  2. Yeti Test
  3. Report of Findings

This document is the report of findings.

Project Timeline


Shane Kerr sent a mail3 to the Yeti discussion mailing list proposing that Yeti conduct the BGZSK experiment.


Shane Kerr sent a mail4 announcing the start of the BGZSK experiment.


BII 2048-bit ZSK published, with the old 1024-bit ZSK still there.


BII 2048-bit ZSK used for signing.


TISF 2048-bit ZSK published, with the old 1024-bit ZSK still there.


BII 1024-bit ZSK removed.


TISF 2048-bit ZSK used for signing.


TISF 1024-bit ZSK removed.


WIDE 2048-bit ZSK published, with the old 1024-bit ZSK still there.


WIDE 2048-bit ZSK used for signing.


WIDE 1024-bit ZSK removed.


The experiment was concluded5.

Observations & Results

No operational issues were reported or discovered. The Yeti system continued to work during all phases of the roll.

Analysis of Captured Packets

Description of measurements


Using a 2048-bit ZSK for the Yeti root works as expected.

Since the 2048-bit ZSK works and since the IANA also moved to a 2048-bit ZSK soon, the Yeti project has left it in place.

You can’t perform that action at this time.