Public Comment is a vital part of our multistakeholder model. It provides a mechanism for stakeholders to have their opinions and recommendations formally and publicly documented. It is an opportunity for the ICANN community to effect change and improve policies and operations.
Contenido disponible solo en los siguientes idiomas
April 6, 2026 amendment:
Based on recent conversations in the DNS community, Verisign wants to address the topic of how different RSA zone signing key lengths are likely to affect root server response sizes. Please consider the attached report in addition to our earlier submitted comments on this proposal.
These comments are provided in response to ICANN’s call for public comments on the document “Proposal for Root Zone KSK Algorithm Rollover”.
As noted in the proposal document, the root zone has been signed with an RSA-based DNSSEC algorithm since 2010. The DNS ecosystem has seen an increase in adoption and deployment of ECDSA-based signing algorithms in recent years, with ECDSA P-256 surpassing RSA in mid-2024 according to at least one long term survey [1]. In 2023, Verisign transitioned its .net and .com top-level domains from RSA to ECDSA over the course of a few weeks each. These transitions utilized the conservative double-signing approach and resulted in no known end user service disruptions. We agree that ECDSA P-256 (algorithm 13) is the most suitable choice for the root zone's next DNSSEC signing algorithm and that double-signing is the best approach in terms of protocol compliance and for minimizing any risks to end users.
We are pleased to bring our experience and expertise to support this transition, which will use a similar approach, albeit on a longer time scale. We look forward to further collaboration with our ICANN and IANA colleagues to implement the root zone algorithm rollover.
[1] https://stats.dnssec-tools.org/#/?dnssec_param_tab=0