/
At-Large Workspace: Proposed Root KSK Algorithm Rollover

At-Large Workspace: Proposed Root KSK Algorithm Rollover

Public Comment Close

Statement
Name (Please click on hyperlink below for authoritative source)

Status

Assigned Working Group

Assignee(s)

Call for
Comments Open

Call for
Comments
Close 

Vote Open

Vote Close

Date of Submission

Staff Contact and Email

Statement Number

Public Comment Close

Statement
Name (Please click on hyperlink below for authoritative source)

Status

Assigned Working Group

Assignee(s)

Call for
Comments Open

Call for
Comments
Close 

Vote Open

Vote Close

Date of Submission

Staff Contact and Email

Statement Number


Apr 27, 2026

Proposed Root KSK Algorithm Rollover


REVIEW


CPWG

Reviewers

@satish.babu

@adebunmi.akinbo

@Vanda Scartezini

@Tinuade Oguntuyi

@Leesi Ebenezer Mitee

@Nefertiti Marquez

@Carlton Samuels

@Maureen Owusu-Addae

Murray McKercher


Feb 3, 2026


Apr 27, 2026








james.mitchell@iana.org



Where Community Input is Needed

The following text is from the public comment page and provides context around what is being commented on. 

This Public Comment proceeding requests community feedback on the proposed DNS root zone Key Signing Key (Root KSK) algorithm rollover. The Root KSK is the global trust anchor for DNSSEC and is managed under the Internet Assigned Names Authority (IANA) functions.

The proposal sets out a multi-year implementation plan, beginning with the generation of a new ECDSA Root KSK in 2027 and ending with the retirement of the RSA Root KSK in 2029. Community feedback is particularly encouraged on the following topics:

  • The proposed algorithm rollover methodology and implementation timeline.

  • Operational readiness, including resolver and authoritative server compatibility

  • Identification of additional risks that haven’t been considered by the plan

 

This Public Comment proceeding requests community feedback on the proposed DNS root zone Key Signing Key (Root KSK) algorithm rollover. The Root KSK is the global trust anchor for DNSSEC and is managed under the Internet Assigned Names Authority (IANA) functions.

The proposal sets out a multi-year implementation plan, beginning with the generation of a new ECDSA Root KSK in 2027 and ending with the retirement of the RSA Root KSK in 2029. Community feedback is particularly encouraged on the following topics:

  • The proposed algorithm rollover methodology and implementation timeline.

  • Operational readiness, including resolver and authoritative server compatibility

  • Identification of additional risks that haven’t been considered by the plan

 

Executive Summary

A short executive summary, if the draft is ratified, will be placed here after the finalized document has been submitted. 







FINAL VERSION SUBMITTED (IF RATIFIED)

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 











FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.











DRAFT SUBMITTED FOR DISCUSSION

The first draft submitted will be placed here before the call for comments begins.