New DNSSEC key for .is

Since the ccTLD .is was DNSSEC signed in October 2013, it has been signed using RSASHA256 keys. At the time that was the most used and recommended algorithm. In the 12 years since then, new algorithms have been published and currently the ECDSA-P256-SHA256 algorithm is fast becoming the most used algorithm. The biggest reason for the change in algorithms is that the new algorithms use much smaller keys without sacrificing security. It means that the zone and responses that use DNSSEC become much smaller.

Already, some of the biggest TLD's have migrated to newer algorithms, and now it's time for ISNIC to migrate the .is domain to a new algorithm. We have already migrated our own domains (isnic.is, nic.is etc.) and it went smoothly and without problems.

The migration process happens in a few stages and there is waiting time between the stages to ensure that caches in resolvers around the world is consistent with the published data in the zone. Therefore, it will take a few days for the migration to fully complete.