Public Comment

Public Comment is a vital part of our multistakeholder model. It provides a mechanism for stakeholders to have their opinions and recommendations formally and publicly documented. It is an opportunity for the ICANN community to effect change and improve policies and operations.

هذا المحتوى متوفر فقط باللغة (أو اللغات)

  • English

Name: NITIN WALIA
Date: 19 Mar 2026
Original Public Comment: Proposed Root KSK Algorithm Rollover
Other Comments

The proposed Root KSK algorithm rollover represents an important and necessary evolution of the DNSSEC trust anchor, and the selection of ECDSA P-256 is appropriate given its maturity, widespread deployment, and alignment with current cryptographic standards. The overall methodology, particularly the use of a conservative double-signing approach and phased execution, reflects a strong commitment to maintaining global DNS stability. However, there are a few areas where further refinement would strengthen the proposal.

First, the planned reduction of the RSA ZSK size to 1536 bits raises concerns. While the objective of controlling DNS response sizes is understandable, weakening cryptographic strength even temporarily may not be the optimal trade-off. Alternative approaches, such as earlier introduction of an ECDSA based ZSK or accepting increased reliance on TCP fallback during the transition period, could be evaluated to maintain stronger security posture without significantly impacting operations.

Second, the reliance on pre-generated Signed Key Responses (SKRs) for multiple future states introduces potential operational and security considerations. While this improves flexibility, additional safeguards or procedural controls should be clearly articulated to prevent any unintended misuse or exposure.

Third, Phase DD (introduction of signatures without corresponding DNSKEYs) appears to add complexity without clear operational benefit. Simplifying this phase or merging it with the dual-signing phase could reduce risk and improve clarity for implementers.

Finally, the revocation timeline for the RSA KSK would benefit from a more adaptive approach. Incorporating telemetry-based decision-making such as monitoring resolver behavior and trust anchor adoption could ensure a safer and more globally aligned transition.

Overall, the proposal is well-structured and directionally sound, but incorporating these refinements would enhance robustness, transparency, and long-term trust in the process.

Summary of Submission

My submission supports the transition to ECDSA P-256 and the overall phased, double-signing approach, while recommending refinements to improve security, operational clarity, and risk management. Key recommendations include avoiding temporary reduction in cryptographic strength, strengthening safeguards around pre-generated key materials, simplifying the transition phases, and adopting telemetry-driven decision-making for key revocation. These enhancements will help ensure a secure, stable, and globally inclusive transition of the DNS root trust anchor.