Skip to content
Tech News
← Back to articles

Rolling the Root Key

2026-05-05 | original
read original get Hardware Security Module (HSM) → more articles
Why This Matters

This article highlights the importance of regularly updating cryptographic keys and algorithms to stay ahead of evolving computational capabilities, including the potential threat posed by quantum computers. For the tech industry and consumers, understanding these practices is crucial for maintaining long-term data security and privacy. Proactive cryptographic management ensures that sensitive information remains protected against future computational advances.

Key Takeaways

In cryptography, no cryptographic key is eternal — breaking a key is not a computationally impossible problem, it’s just a computationally infeasible problem!

In practice, it’s infeasible to assemble a large enough pool of processing capability and enough time to try every possibility to derive the private key value. But if a key is used for an extended period of time, then a potential attacker has the same extended time to attempt to break the key.

Limiting the time a key is used and limiting the time that you require the encrypted material to be considered a secure secret can help in ensuring the secrecy of the material within those bounds.

The outcome is that cryptographic material, like cryptographic keys, algorithms, and key sizes, needs to be regularly reevaluated and revised in light of the evolution of computational capacity and the duration of the intended secrecy of the material. A cryptographically acceptable algorithm and key should not be breakable using available (and projected available) computational resources over the period of time that you wish to maintain the integrity of the information that has been digitally signed or encrypted.

The requirement to factor in projected computational capacity has become more challenging. To protect the key used to encrypt information for a period of 20 years, a common lifetime for secrets, we need to consider whether quantum computers will form part of the arsenal of accessible computation capability in that period. If the answer is ‘yes’, then we must immediately consider how to transition to so-called post-quantum cryptographic algorithms. On the other hand, if the intended lifetime of a secret is five years or less, then the construction of cryptographically relevant quantum computers for use in production environments is less of a concern.

For DNSSEC — and most of the DNS infrastructure — the algorithms used by DNSSEC do not have to meet these tougher post-quantum cryptographic standards at present. The intended lifetime of use of DNSSEC keys is generally around several months, or a year or two at most.

The single exception to this observation is the root key of the DNS, the Root Key Signing Key (KSK). The first KSK was in service for eight years, and its successor has now been in service for just under eight years. The long key lifetime of the Root KSK is because there is no convenient way to introduce a new KSK value and have it rapidly integrated into the Trust Anchor (TA) sets of all DNSSEC-validating DNS resolvers.

... continue reading

Explore topics: cryptography root key quantum computers key management encryption
Related:
Ads on Apple Maps
Yet Another Way to Bypass Google Chrome's Encryption Protection
Proton Meet
Microsoft Edge stores all your saved passwords unencrypted in memory
Quantum Key Distribution (QKD) and Quantum Cryptography (QC)

© 2026 GoKawiil

About | Editorial Policy | Contact