Where are we at with RSA at the top of the DNS tree? Let's take a look at some names:
| Name | ZSK | KSK |
|---|---|---|
| . | 2048-bit RSASHA256 | 2048-bit RSASHA256 |
| au. | 2048-bit RSASHA256 | 2048-bit RSASHA256 |
| com.au. | 2048-bit RSASHA256 | 1024-bit RSASHA256 |
| id.au. | 2048-bit RSASHA256 | 1024-bit RSASHA256 |
| net.au. | 2048-bit RSASHA256 | 1024-bit RSASHA256 |
| org.au. | 2048-bit RSASHA256 | 1024-bit RSASHA256 |
| com. | 2048-bit RSASHA256 | 1024-bit RSASHA256 |
| net. | 2048-bit RSASHA256 | 1024-bit RSASHA256 |
| org. | 2048-bit RSASHA1-NSEC3-SHA1 | 1024-bit RSASHA1-NSEC3-SHA1 |
2048-bit keys dominate the ZSK list while 1024-bit keys are the norm for ZSKs. Verisign are in the midst of switching from 1024-bit to 1280-bit KSKs so this list will change a little by the end of this year. Regardless if you want to implement a validator you're going to need to support weaker keys for some time yet.