Logo
ICANN
ICANN
Filtered Search

Are you sure you want to sign out from http://www.icann.org?

If you want to sign out from both http://www.icann.org and ICANN Account, click here.

Public Comment

Public Comment is a vital part of our multistakeholder model. It provides a mechanism for stakeholders to have their opinions and recommendations formally and publicly documented. It is an opportunity for the ICANN community to effect change and improve policies and operations.

closed Draft Report of the Root Zone DNSSEC Algorithm Rollover Study

CategoryTechnical
RequestersOther

Outcome

The design team received a total of seven submissions from groups, organizations, and individuals. The submissions provided input on all aspects of the report and identified areas requiring further analysis and consideration. The design team will soon begin a thorough review of the Public Comment submissions for the final publication of their report.

Download Report (pdf, 163.69 KB)

What We Received Input On

The Root Zone DNSSEC Algorithm Rollover Design Team seeks community input and comments on their draft report. The design team was tasked with two key tasks:

  • providing guidance on how to select an algorithm for the root zone, and
  • investigating how a rollover could be conducted.

The team specifically seeks feedback on their recommendations and whether the rollover methods are appropriate. The exact timing of an algorithm rollover and the design of detailed operational plans was out of scope for the design team.

Proposals For Your Input
Draft Report of the Root Zone DNSSEC Algorithm Rollover Study (pdf, 851.7 KB)

Background

The DNS root zone was first signed in 2010 and the cryptographic keys that sign the zone were replaced once in 2018 in a process known as a key rollover. The key rollover retained use of the widely deployed RSA-SHA cryptographic algorithm. Recently, newer cryptographic algorithms have become more prevalent, with use of ECC algorithms reaching near parity with RSA-SHA in deployments.

The need to study and design the process to change the cryptographic algorithms was identified as a targeted outcome in IANA’s Strategic Roadmap for FY21-24 (page 12) and reiterated by the ICANN SSR2 recommendation 23.2:

As a root DNSKEY algorithm rollover is a very complex and sensitive process, PTI operations should work with other root zone partners and the global community to develop a consensus plan for future root DNSKEY algorithm rollovers, taking into consideration the lessons learned from the first root KSK rollover in 2018.

A design team, modeled on the process used for the first root KSK rollover, was formed in January 2022 to study the steps and timelines needed to realize the algorithm rollover.

Supporting Information

Supporting Information
Root Zone KSK Algorithm Rollover

Timeline (UTC)

Open for Submissions

19 October 2023

Closed for Submissions

04 December 2023 | 23:59

Report Due

18 December 2023 | 23:59

Submissions to this Proceeding

VeriSign, Inc.

Submitted on
4 December 2023

Read more

Registries Stakeholder Group (RySG)

Submitted on
1 December 2023

Read more

Root Server System Advisory Committee

Submitted on
1 December 2023

Read more

See all submissions to this proceeding