Submissions for this Proceeding

Submission Summary:

The RSSAC sees notable benefits with making this change, and sees very few and minor risks. The RSSAC therefore supports going forward with making this change.

Submission Summary:

These comments are provided in response to ICANN’s call for public comments on the document “Proposal for Root Zone KSK Algorithm Rollover”.

As noted in the proposal document, the root zone has been signed with an RSA-based DNSSEC algorithm since 2010. The DNS ecosystem has seen an increase in adoption and deployment of ECDSA-based signing algorithms in recent years, with ECDSA P-256 surpassing RSA in mid-2024 according to at least ...

Submission Summary:

The author, a Cloud Security Expert from Lagos, Nigeria, provides feedback on the DNS root zone KSK algorithm rollover proposal. They emphasize the need for a systemic risk analysis regarding the impact on West African digital economies and urge ICANN to adopt a security approach that accounts for localized operational vulnerabilities in emerging markets to ensure global educational access.

Submission Summary:

The gTLD Registries Stakeholder Group (RySG) is supportive of the proposal for Root Zone KSK algorithm rollover and highlights a couple of items from the proposal in its comments.

Submission Summary:

This submission supports the transition from RSA to ECDSA for the Root KSK and agrees with the overall phased rollout approach. The feedback highlights the importance of monitoring real-world resolver behavior, improving visibility into validation issues during the transition, and clearly acknowledging temporary trade-offs such as the reduced RSA ZSK size. The proposal is solid, with suggestions focused on operational visibility and risk manag...

Submission Summary:

I support the proposed Root Zone KSK algorithm rollover from RSA/SHA-256 to ECDSA P-256 as an important step in strengthening DNSSEC and modernizing the security of the DNS root.

My submission highlights potential challenges in real-world deployment, particularly regarding legacy resolver compatibility, increased DNS response size during the double-signing phase, and operational complexity for network operators.

I recommend strengt...

Submission Summary:

My submission supports the transition to ECDSA P-256 and the overall phased, double-signing approach, while recommending refinements to improve security, operational clarity, and risk management. Key recommendations include avoiding temporary reduction in cryptographic strength, strengthening safeguards around pre-generated key materials, simplifying the transition phases, and adopting telemetry-driven decision-making for key revocation. These...

Submission Summary:

The proposal to reduce the RSA ZSK to 1536 bits is misguided, prioritizing UDP packet size over essential cryptographic strength and disregarding modern security standards. Furthermore, the reliance on pre-computed SKRs creates significant risk of unauthorized downgrade attacks, while the inclusion of Phase DD relies on security through obscurity, and the static 70-day revocation timer for the RSA KSK is an arbitrary metric that ign...

Submission Summary:

The proposal requires further clarification and technical justification before proceeding. While the overall objective of transitioning the Root Zone KSK signing algorithm is acknowledged, the document lacks sufficient detail regarding key decision points, security trade-offs, and operational considerations.

In particular, the rationale for reducing the RSA 2048-bit ZSK to 1536 bits is not adequately supported, and the associated reducti...

Submission Summary:

Agree to include the algorithm roll of the ZSK as part of the proposal, rather than adjusting the bit length of the ZSK (reducing from 2048 to 1536; it is necessary to clarify that 1536 is not a common RSA key length).

In the algorithm selection section, it is necessary to note the algorithm for KSK-2024. After all, it is already 2026, and the literal meaning suggests that it is the name of a key with the ECDSA P-256 algorithm.

The...

Submission Summary:

Summary: Needs work. Do not proceed as written.  The plan is missing most information about the decision process for the critical choices. This will restrict most reviews to a somewhat superficial level. In the attachment, Minor 7 indicates a flaw with publication timing. Major 1 suggests an approach that does not require reducing the signature strength of the root zone for 3 years.

The plan was difficult t...