Skip to main content

Root Zone KSK Algorithm Rollover


The Domain Name System (DNS) is the Internet's address book that connects users to services on the Internet. Unfortunately, it was not designed with security in mind. The DNS root zone was first signed in 2010 to help keep it more secure for Internet users. The cryptographic keys that sign the zone were replaced once in 2018 in a process known as a key rollover. The first key rollover continued to use the widely deployed RSA-SHA cryptographic signing algorithm. Recently, newer cryptographic algorithms have become more prevalent. This has led to discussions in the ICANN community about preparing a process for updating future DNS cryptographic keys to realize the benefits of these newer algorithms.

Design Team

The Second Security, Stability, and Resiliency Review (SSR2) (recommendation 23.2) identified algorithm rollovers as inherently complex and sensitive processes, and which may involve many stakeholders.

IANA will convene a design team that will define the steps and timelines needed to realize the algorithm rollover and provide a framework to ensure that the ICANN community and ICANN's global partners are technically and operationally prepared for a future change in the KSK's signing algorithm.

Please Note: This project should not be confused with a KSK rollover (without the word "algorithm"). A KSK rollover changes the cryptographic keys with those using the same algorithm. A KSK algorithm rollover changes the cryptographic keys but also uses a different signing algorithm.

How to Get Involved

Please take a look at ICANN's announcement for the call for volunteers to create a design team.

The recommendations from the design team will be made available in a Public Comment proceeding.

You can subscribe to the ksk-rollover mailing list to join the public discussions on issues related to changing the root key signing key.

Projected Timeline

November 2022: Call for design team
February 2023: Form design team
April 2023: Draft Public Comment proceeding
June 2023: Final recommendations published

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."