At The Swedish Internet Foundation we are very security concious. We were the first TLD in the world to sign their zone with DNSSEC. Being on the forefront of things is a nice feeling, but sometimes you get to feel the pain of it. Having signed so early means that at the time there was only one algorithm to use, RSA-SHA1. The security of SHA1 has been discussed in the community for some time now and even though there is no need for panic, there are more secure alternatives available today.
As preparation for the changing of keys used in the .se zone I have done some tests about packet sizes with different key sizes and algorithms. Currently the .se zone is signed by a 2048 bit Key Signing Key (KSK) and a 1024 bit Zone Signing Key (ZSK) both in RSA-SHA1 format.