ICANN asks for public input on planned change to a core Internet security key
ICANN has opened a public consultation on a proposal to change the cryptographic algorithm used to secure the core of the Internet’s domain name system. The change, planned to begin in 2027, affects how trust is established when users access websites worldwide.
The Internet Corporation for Assigned Names and Numbers has opened a public comment process on a proposal to change the cryptographic algorithm used for the Domain Name System (DNS) root zone’s Key Signing Key, often referred to as the Root KSK. This key is a fundamental part of how the internet verifies that domain name information is authentic and has not been tampered with.
To understand why this matters, it helps to start with the DNS itself. The DNS is often described as the internet’s address book. It translates human-readable website names, such as example.com, into numerical IP addresses that computers use to communicate. Because this system is so critical, it is protected by a security mechanism called DNS Security Extensions, or DNSSEC.
DNSSEC works by using cryptographic keys to digitally sign DNS data. At the very top of this system is the Root KSK, which acts as a global trust anchor. If this key is trusted, then all other signed DNS information can be trusted as well. The Root KSK is managed as part of the Internet Assigned Numbers Authority functions, operated by ICANN.
Since DNSSEC was introduced for the root zone in 2010, the Root KSK has used a specific cryptographic algorithm based on RSA and SHA-256. While the key itself was replaced once before, in 2018, the underlying algorithm has never changed. Over time, however, cryptographic best practices evolve, and newer algorithms can offer better efficiency or security.
The current proposal sets out a multi-year plan to move from the existing RSA-based algorithm to a newer one based on ECDSA. According to the proposal, a new ECDSA Root KSK would be generated in 2027, and the older RSA-based key would be fully retired by 2029. This gradual approach is intended to give internet operators enough time to update their systems.
ICANN is asking for feedback on several aspects of the plan. This includes whether the proposed timeline is realistic, whether DNS resolvers and authoritative servers are technically ready to handle the new algorithm, and whether there are additional risks that the proposal may not have fully addressed.
The work on this proposal began after a 2021 review of internet security and stability identified the lack of a clear process for changing DNSSEC algorithms at the root level. Following that review, ICANN worked with its root zone partners and technical experts, including Verisign, to study possible approaches and assess readiness across the internet ecosystem.
The public comment period is open from 3 February to 6 April 2026. Feedback received during this time will be used to refine the implementation plan before any operational changes are made. While the process is highly technical, its goal is straightforward: to ensure that the internet’s core naming system remains secure and trustworthy as technology evolves.
