[dns-operations] Proposal for Root Zone KSK Algorithm Rollover
Andres Pavez
andres.pavez at iana.org
Tue Feb 3 21:08:11 UTC 2026
We would like to announce that the Proposal for Root Zone KSK Algorithm Rollover has been released for public comment and is available for review on the ICANN website:
https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026
The proposal describes a multi-year plan to generate a new ECDSA Root KSK in 2027 and retire the RSA Root KSK by 2030. It includes:
* Transitioning the DNS root KSK from RSA/SHA-256 to ECDSA P-256/SHA-256
* Following a traditional double-signing approach, with both algorithms running in parallel during the transition
* Adjusting the RSA ZSK size from 2048 to 1536 bits prior to the transition, to reduce the possible need to truncation and retransmission over TCP.
Community feedback on the methodology, timeline, operational readiness, and any additional risks is encouraged.
The public comment period is open through 6 April 2026.
Thanks,
--
Andres Pavez
Cryptographic Key Manager
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260203/8548dd5d/attachment.bin>
More information about the dns-operations
mailing list