
<!DOCTYPE html>

<html>

  <head>


    <meta http-equiv="content-type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hola a todos!</p>

    <p>En ICANN están considerando realizar un "algorithm rollover" de

      la KSK de la raiz, es decir cambiar el _algoritmo_ que se utiliza

      para generar el par de claves que se utiliza para firmar la zona

      raiz del DNS.</p>

    <p>Les envio la consulta publica ya que puede ser de interes de

      ustedes operadores. </p>

    <p>s2</p>

    <p>/Carlos</p>

    <div class="moz-forward-container"><br>

      <br>

      -------- Forwarded Message --------

      <table cellpadding="0" cellspacing="0" border="0"

        class="moz-email-headers-table">

        <tbody>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Subject:

            </th>

            <td>Proposal for Root Zone KSK Algorithm Rollover</td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Date: </th>

            <td>Tue, 3 Feb 2026 21:06:14 +0000</td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">From: </th>

            <td>Andres Pavez via root-dnssec-announce

              <a class="moz-txt-link-rfc2396E" href="mailto:root-dnssec-announce@icann.org"><root-dnssec-announce@icann.org></a></td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Reply-To:

            </th>

            <td>Andres Pavez <a class="moz-txt-link-rfc2396E" href="mailto:andres.pavez@iana.org"><andres.pavez@iana.org></a></td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">To: </th>

            <td><a class="moz-txt-link-abbreviated" href="mailto:root-dnssec-announce@icann.org">root-dnssec-announce@icann.org</a>

              <a class="moz-txt-link-rfc2396E" href="mailto:root-dnssec-announce@icann.org"><root-dnssec-announce@icann.org></a></td>

          </tr>

        </tbody>

      </table>

      <br>

      <br>

      We would like to announce that the Proposal for Root Zone KSK

      Algorithm Rollover has been released for public comment and is

      available for review on the ICANN website:<br>

      <br>

<a class="moz-txt-link-freetext" href="https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026">https://www.icann.org/en/public-comment/proceeding/proposed-root-ksk-algorithm-rollover-03-02-2026</a>

      <br>

      The proposal describes a multi-year plan to generate a new ECDSA

      Root KSK in 2027 and retire the RSA Root KSK by 2030. It includes:<br>

      <br>

      * Transitioning the DNS root KSK from RSA/SHA-256 to ECDSA

      P-256/SHA-256<br>

      * Following a traditional double-signing approach, with both

      algorithms running in parallel during the transition<br>

      * Adjusting the RSA ZSK size from 2048 to 1536 bits prior to the

      transition, to reduce the possible need to truncation and

      retransmission over TCP.<br>

      <br>

      Community feedback on the methodology, timeline, operational

      readiness, and any additional risks is encouraged. <br>

      The public comment period is open through 6 April 2026.<br>

      <br>

      Thanks,<br>

      <pre class="moz-signature">-- 

Andres Pavez Cryptographic Key Manager 


</pre>

    </div>

  </body>

</html>