October 2018 saw the culmination of a years-long project to roll the root zone DNSSEC Key Signing Key. More recently, the old KSK was published as revoked. In this presentation we use passively and actively collected datasets to explore how validating recursive name servers were impacted by the root zone KSK rollover and revocation. This data includes RFC 8145 trust anchor signals, query traffic to root servers, and "root canary" measurements made via RIPE Atlas probes.
While the rollover and revocation are generally perceived to be a non-event, our data shows some significant changes in behavior by individual DNS clients that may have impacted end user queries. These analyses and techniques may be useful in planning and conducting future KSK rollovers.
|Talk Duration||30 Minutes|