closed Proposed Root KSK Algorithm Rollover

Outcome

ICANN org received 12 submissions on the Proposed Root Zone KSK Algorithm Rollover, including a late submission from the ICANN Security and Stability Advisory Committee (SSAC). Responses ranged from broad support for the proposal to technical concerns, principally regarding the reduction of the RSA Zone Signing Key from 2048 to 1536 bits and the absence of defined criteria for triggering phase scheduling adjustments. No structural changes to the rollover plan were made as a result of the proceeding. ICANN org will proceed with the algorithm rollover as proposed and will publish phase transition criteria and conduct targeted outreach to the operator community ahead of the transition.

Public Comment provided a useful record of community views on a technically complex operational proposal. The input confirmed broad support for the proposal's overall direction and identified specific areas where additional documentation will strengthen the operational basis for the rollover. This summary report serves as the primary record of ICANN org's responses to the concerns raised during the proceeding.

What We Received Input On

This Public Comment proceeding requests community feedback on the proposed DNS root zone Key Signing Key (Root KSK) algorithm rollover. The Root KSK is the global trust anchor for DNSSEC and is managed under the Internet Assigned Names Authority (IANA) functions.

The proposal sets out a multi-year implementation plan, beginning with the generation of a new ECDSA Root KSK in 2027 and ending with the retirement of the RSA Root KSK in 2029. Community feedback is particularly encouraged on the following topics:

• The proposed algorithm rollover methodology and implementation timeline.
• Operational readiness, including resolver and authoritative server compatibility
• Identification of additional risks that haven’t been considered by the plan

Background

Cryptographic signing of the DNS root zone using the Domain Name System Security Extensions (DNSSEC) began in 2010 with RSA-based algorithms. While the root zone Key Signing Key (KSK) was rolled over in 2018, the cryptographic algorithm itself has not changed. The next KSK rollover is scheduled for October 2026, and the root zone continues to use RSA with SHA-256. To date, there has been no established process for transitioning the root zone to a different signing algorithm.

In 2021, ICANN’s Second Security, Stability, and Resiliency (SSR2) Review identified this gap and recommended that ICANN, in its role as the Internet Assigned Numbers Authority (IANA) functions operator, collaborate with root zone partners and the global community to develop a clear plan for future DNSSEC algorithm rollovers. The ICANN Board adopted this recommendation in July 2021.

To advance this effort, ICANN, in cooperation with its root zone partners and technical experts, including Verisign as the Root Zone Maintainer, created a design team in January 2023 to study and develop a framework for a future algorithm rollover. This work resulted in a  Root Zone DNSSEC Algorithm Rollover Study, which assessed ecosystem readiness, operational risk, and candidate algorithms. This Proposal for the Root KSK Algorithm Rollover is the implementation of these recommendations.