[lacnog] Fwd: Proposal for Root Zone KSK Algorithm Rollover

Tomas Lynch tomas.lynch en gmail.com
Mie Feb 4 09:02:08 -03 2026 

Carlos,

¿Por qué se hace una transición y no una migración completa? Me debo
imaginar que es porque hay gente que no se va a enterar que se cambia el
protocolo que genera la clave hasta el último día. Si esto es así, ¿quiénes
deberían comenzar a preocuparse en este momento?

Otra pregunta. Como todo en la vida hay fanáticos, ¿los hay de RSA vs.
ECDSA?

Saludos,

Tomás

On Tue, Feb 3, 2026 at 4:57 PM Carlos Martinez-Cagnazzo <carlos en lacnic.net>
wrote:

> Hola a todos!
>
> En ICANN están considerando realizar un "algorithm rollover" de la KSK de
> la raiz, es decir cambiar el _algoritmo_ que se utiliza para generar el par
> de claves que se utiliza para firmar la zona raiz del DNS.
>
> Les envio la consulta publica ya que puede ser de interes de ustedes
> operadores.
>
> s2
>
> /Carlos
>
>
> -------- Forwarded Message --------
> Subject: Proposal for Root Zone KSK Algorithm Rollover
> Date: Tue, 3 Feb 2026 21:06:14 +0000
> From: Andres Pavez via root-dnssec-announce
> <root-dnssec-announce en icann.org> <root-dnssec-announce en icann.org>
> Reply-To: Andres Pavez <andres.pavez en iana.org> <andres.pavez en iana.org>
> To: root-dnssec-announce en icann.org <root-dnssec-announce en icann.org>
> <root-dnssec-announce en icann.org>
>
> We would like to announce that the Proposal for Root Zone KSK Algorithm
> Rollover has been released for public comment and is available for review
> on the ICANN website:
>
>
> https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026
> The proposal describes a multi-year plan to generate a new ECDSA Root KSK
> in 2027 and retire the RSA Root KSK by 2030. It includes:
>
> * Transitioning the DNS root KSK from RSA/SHA-256 to ECDSA P-256/SHA-256
> * Following a traditional double-signing approach, with both algorithms
> running in parallel during the transition
> * Adjusting the RSA ZSK size from 2048 to 1536 bits prior to the
> transition, to reduce the possible need to truncation and retransmission
> over TCP.
>
> Community feedback on the methodology, timeline, operational readiness,
> and any additional risks is encouraged.
> The public comment period is open through 6 April 2026.
>
> Thanks,
>
> --
> Andres Pavez Cryptographic Key Manager
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20260204/0542a9ae/attachment.htm>

Más información sobre la lista de distribución LACNOG