Dear ccTLD managers, I am forwarding you the message below, on behalf of Duane Wessels at Verisign. In case you have any questions, please reach out to Duane directly at dwessels@verisign.com = = = Verisign, in its role as the root zone ZSK operator, is transitioning to a new Hardware Security Module (HSM) product for the root zone's Zone Signing Key (ZSK). The current HSM vendor, Ultra Intelligence & Communications, has announced their KeyperPLUS will no longer be supported by them. Verisign will use an HSM product from Thales for the root zone ZSK going forward. On July 1, 2025 we will begin using the Thales HSM to sign the root zone on a daily basis. Although we anticipate this will be a seamless change for end users and anticipate no problems, prudence dictates that we need a backout plan, should it become necessary. As part of our backout plan, we will be post-publishing the previous quarter's ZSK for a longer than normal period of time. Normally, following a quarterly ZSK rollover, the previous key is post-published for a period of 10 days. As part of our HSM transition, we will instead post-publish the previous ZSK for a period of 80 days. This provides ample time to remediate any issues that may arise as part of this transition, and should it become necessary, to revert to using the old HSM to sign the root zone. = = = Thank you. Best regards. Joke Braeken joke.braeken@icann.org Read more about the ccNSO Program at ICANN83: https://icann-community.atlassian.net/wiki/x/AYDTCw