We would like to announce that the Proposal for Root Zone KSK Algorithm Rollover has been released for public comment and is available for review on the ICANN website:
https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026
The proposal describes a multi-year plan to generate a new ECDSA Root KSK in 2027 and retire the RSA Root KSK by 2030. It includes:
* Transitioning the DNS root KSK from RSA/SHA-256 to ECDSA P-256/SHA-256
* Following a traditional double-signing approach, with both algorithms running in parallel during the transition
* Adjusting the RSA ZSK size from 2048 to 1536 bits prior to the transition, to reduce the possible need to truncation and retransmission over TCP.
Community feedback on the methodology, timeline, operational readiness, and any additional risks is encouraged.
The public comment period is open through 6 April 2026.
Thanks,
--
Andres Pavez
Cryptographic Key Manager
_______________________________________________
root-dnssec-announce mailing list -- root-dnssec-announce@icann.org
To unsubscribe send an email to root-dnssec-announce-leave@icann.org
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.