[lacnog] Fwd: Proposal for Root Zone KSK Algorithm Rollover

Carlos Martinez-Cagnazzo carlos en lacnic.net
Mar Feb 3 18:57:08 -03 2026 

Hola a todos!

En ICANN están considerando realizar un "algorithm rollover" de la KSK 
de la raiz, es decir cambiar el _algoritmo_ que se utiliza para generar 
el par de claves que se utiliza para firmar la zona raiz del DNS.

Les envio la consulta publica ya que puede ser de interes de ustedes 
operadores.

s2

/Carlos



-------- Forwarded Message --------
Subject: 	Proposal for Root Zone KSK Algorithm Rollover
Date: 	Tue, 3 Feb 2026 21:06:14 +0000
From: 	Andres Pavez via root-dnssec-announce 
<root-dnssec-announce en icann.org>
Reply-To: 	Andres Pavez <andres.pavez en iana.org>
To: 	root-dnssec-announce en icann.org <root-dnssec-announce en icann.org>



We would like to announce that the Proposal for Root Zone KSK Algorithm 
Rollover has been released for public comment and is available for 
review on the ICANN website:

https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026 

The proposal describes a multi-year plan to generate a new ECDSA Root 
KSK in 2027 and retire the RSA Root KSK by 2030. It includes:

* Transitioning the DNS root KSK from RSA/SHA-256 to ECDSA P-256/SHA-256
* Following a traditional double-signing approach, with both algorithms 
running in parallel during the transition
* Adjusting the RSA ZSK size from 2048 to 1536 bits prior to the 
transition, to reduce the possible need to truncation and retransmission 
over TCP.

Community feedback on the methodology, timeline, operational readiness, 
and any additional risks is encouraged.
The public comment period is open through 6 April 2026.

Thanks,

-- 
Andres Pavez Cryptographic Key Manager

------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20260203/4f4a0a5d/attachment.htm>
------------ próxima parte ------------
_______________________________________________
root-dnssec-announce mailing list -- root-dnssec-announce en icann.org
To unsubscribe send an email to root-dnssec-announce-leave en icann.org

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Más información sobre la lista de distribución LACNOG