Hello,
for your information, SWITCH will perform a DNSSEC algorithm rollover from RSA to ECDSA for ch. and li.
ECDSA uses smaller keys and signatures than their RSA counterparts, which means responses to DNS queries are smaller.
ECDSA was already standardised for use in DNSSEC in 2012. While switch.ch has been signed with ECDSA since 2016, IANA the root zone operator has only recently allowed TLDs to use it.
The changes to the ch. and li. zones DNSKEY record are as following with times reported in UTC:
2018-11-21T13:30 Add new ECDSA key to DNSKEY record set 2018-12-21T13:30 Remove old RSA key from DNSKEY record set
Between this interval, the chain of trust for ch. and li. will be updated in the root zone to point to the new ECDSA key only.
Operators of DNSSEC validating DNS resolvers do not need to do anything. In the unlikely case that your validating DNS resolver only understands RSA but not ECDSA, then it will answer to ch. or li. queries as if they were not DNSSEC signed.
You can test which DNSSEC algorithms are supported by the DNS resolver(s) configured on your system by visiting: https://rootcanary.org/test.html
Best regards, Daniel Stirnimann, SWITCH