.is DNSSEC migration
Today the .is zone was migrated to new DNSSEC signing servers.
The migration has been in preparation for more than a year, and the process was tested thoroughly before the actual migration was performed.
The biggest change is that now there are two signer signing the .is zone, one primary and one backup signer. If the primary signer, for some reason, is unable to sign the zone, it's simple to fallback to the backup signer and continue updating the .is zone. Encryption keys are synced between the signers, so in the case of failover to backup signer, users should not be aware of it.
The new signers are running
Knot DNS, which is maintained by our friends at
cz.nic which maintain the .cz ccTLD.
The old signer was running OpenDNSSEC and it's been signing .is since DNSSEC was implemented in 2013.
With the change the key sizes were changed from 2048 and 1024 bit RSA keys to 4096 and 2048 bit RSA keys.