What We Received Input On
The Root Zone DNSSEC Algorithm Rollover Design Team seeks community input and comments on their draft report. The design team was tasked with two key tasks:
- providing guidance on how to select an algorithm for the root zone, and
- investigating how a rollover could be conducted.
The team specifically seeks feedback on their recommendations and whether the rollover methods are appropriate. The exact timing of an algorithm rollover and the design of detailed operational plans was out of scope for the design team.
|Proposals For Your Input|
The DNS root zone was first signed in 2010 and the cryptographic keys that sign the zone were replaced once in 2018 in a process known as a key rollover. The key rollover retained use of the widely deployed RSA-SHA cryptographic algorithm. Recently, newer cryptographic algorithms have become more prevalent, with use of ECC algorithms reaching near parity with RSA-SHA in deployments.
The need to study and design the process to change the cryptographic algorithms was identified as a targeted outcome in IANA’s Strategic Roadmap for FY21-24 (page 12) and reiterated by the ICANN SSR2 recommendation 23.2:
As a root DNSKEY algorithm rollover is a very complex and sensitive process, PTI operations should work with other root zone partners and the global community to develop a consensus plan for future root DNSKEY algorithm rollovers, taking into consideration the lessons learned from the first root KSK rollover in 2018.
A design team, modeled on the process used for the first root KSK rollover, was formed in January 2022 to study the steps and timelines needed to realize the algorithm rollover.
The design team will review all comments received, and if deemed necessary update their report. The summary of the comments and working group’s analyses of the comments will be included in the final report.