The Internet Corporation for Assigned Names and Numbers (ICANN) is pleased to announce the final report of the Root Zone Domain Name System Security Extensions (DNSSEC) Algorithm Rollover Study. Developed by a design team of staff and volunteers, the report provides a series of recommendations on both the selection of a cryptographic algorithm and how a rollover could be conducted for the DNS root zone.
With the publication of this report, ICANN will use the study's findings for future changes to the algorithm used to sign the root zone. The recommendations of the design team are not expected to impact the current Key Signing Key (KSK) rollover process that is underway but will be utilized for future rollovers. This current rollover sees the replacement of key equipment used to store the KSK (known as a Hardware Security Module, or HSM) after the supplier decided to exit the business.
ICANN's ambition is to perform a rollover every three years in normal operations. This would see the generation of the next key occur in approximately 2027, prior to which ICANN will assess the suitability of the current signing algorithm in line with recommendations from the design team. This timeline provides sufficient time for ICANN and the root zone management partners to develop the operational plans and systems necessary for changing the algorithm.
The security and stability of the DNS requires the capability to change keys. Rollovers of the root KSK, which is the process of replacing one key with another, help exercise these mechanisms to ensure operational readiness.
To join the discussion related to changing the KSK, subscribe to the ksk-rollover mailing list.