Public Comment is a vital part of our multistakeholder model. It provides a mechanism for stakeholders to have their opinions and recommendations formally and publicly documented. It is an opportunity for the ICANN community to effect change and improve policies and operations.
هذا المحتوى متوفر فقط باللغة (أو اللغات)
I appreciate the comprehensive and well-structured proposal for the Root Zone KSK algorithm rollover from RSA/SHA-256 to ECDSA P-256. The phased approach, including double-signing and detailed backout planning, demonstrates a strong commitment to maintaining DNS stability and trust.
From a technical and operational perspective, I would like to highlight several considerations related to real-world deployment environments, particularly in developing regions.
First, while ECDSA P-256 is supported by most modern DNS software, there may still be legacy systems and outdated resolvers that lack full compatibility. These are often present in smaller ISPs, enterprise environments, and educational institutions. It would be beneficial to provide more explicit guidance on identifying and mitigating such compatibility risks at scale.
Second, during the double-signing phase, DNS response sizes may increase, potentially leading to higher rates of packet truncation and TCP fallback. While reducing RSA ZSK size is a good mitigation, continuous monitoring and telemetry collection should be prioritized to assess real-world impact on resolver behavior and network performance.
Third, more practical deployment support would significantly help operators prepare for the transition. This may include:
- Reference configurations for validating resolvers
- Monitoring metrics for DNSSEC validation success rates
- Public dashboards or measurement reports
- Simulation environments or testbeds for readiness validation
Finally, I emphasize the importance of targeted communication and outreach, especially toward operators in developing regions, to ensure broad awareness and preparedness.
Overall, I support the proposed transition as a necessary step to modernize the cryptographic foundation of the DNS root. Strengthening operational guidance and real-world validation mechanisms will further enhance the success and resilience of this rollout.
This attachment provides additional technical and operational feedback on the proposed Root KSK algorithm rollover, focusing on deployment challenges in developing regions.
It highlights gaps in resolver readiness visibility, risks during the double-signing phase, and the need for better monitoring, testing environments, and operator-focused documentation.
The document also includes a simplified system-level diagram and practical recommendations to improve rollout safety, observability, and global adoption readiness.
I support the proposed Root Zone KSK algorithm rollover from RSA/SHA-256 to ECDSA P-256 as an important step in strengthening DNSSEC and modernizing the security of the DNS root.
My submission highlights potential challenges in real-world deployment, particularly regarding legacy resolver compatibility, increased DNS response size during the double-signing phase, and operational complexity for network operators.
I recommend strengthening implementation support by providing practical guidance such as reference configurations, monitoring tools, and testing environments. Additionally, continuous measurement and targeted outreach to underrepresented regions will be essential to ensure a smooth and reliable transition.
Focusing on operational readiness and real-world validation will help minimize risks and improve the overall success of the algorithm rollover.