Root Zone KSK Algorithm Rollover
The Domain Name System (DNS) is the Internet's address book that connects users to services on the Internet. Unfortunately, it was not designed with security in mind. The DNS root zone was first signed in 2010 to help keep it more secure for Internet users. The cryptographic keys that sign the zone were replaced once in 2018 in a process known as a key rollover. The first key rollover continued to use the widely deployed RSA-SHA cryptographic signing algorithm. Recently, newer cryptographic algorithms have become more prevalent. This has led to discussions in the ICANN community about preparing a process for updating future DNS cryptographic keys to realize the benefits of these newer algorithms.
The Second Security, Stability, and Resiliency Review (SSR2) (recommendation 23.2) identified algorithm rollovers as inherently complex and sensitive processes, and which may involve many stakeholders.
IANA will convene a design team that will define the steps and timelines needed to realize the algorithm rollover and provide a framework to ensure that the ICANN community and ICANN's global partners are technically and operationally prepared for a future change in the KSK's signing algorithm.
Please Note: This project should not be confused with a KSK rollover (without the word "algorithm"). A KSK rollover changes the cryptographic keys with those using the same algorithm. A KSK algorithm rollover changes the cryptographic keys but also uses a different signing algorithm.
How to Get Involved
Please take a look at ICANN's announcement for the call for volunteers to create a design team.
The recommendations from the design team will be made available in a Public Comment proceeding.
You can subscribe to the ksk-rollover mailing list to join the public discussions on issues related to changing the root key signing key.
November 2022: Call for design team
January 2023: Form design team
April 2023: Draft Public Comment proceeding
June 2023: Final recommendations published