May 12 – 13, 2019
Shangri-La Bangkok
Asia/Bangkok timezone

KSK Rollover Post-Analysis

May 13, 2019, 10:00 AM
Ballroom 1 (Shangri-La Bangkok)

Ballroom 1

Shangri-La Bangkok

89 ซอย Wat Suan Plu - Dumex, Khwaeng Bang Rak, Khet Bang Rak, Krung Thep Maha Nakhon 10500, Thailand
Standard Presentation Public Workshop


Duane Wessels (Verisign)


October 2018 saw the culmination of a years-long project to roll the root zone DNSSEC Key Signing Key. More recently, the old KSK was published as revoked. In this presentation we use passively and actively collected datasets to explore how validating recursive name servers were impacted by the root zone KSK rollover and revocation. This data includes RFC 8145 trust anchor signals, query traffic to root servers, and "root canary" measurements made via RIPE Atlas probes.

While the rollover and revocation are generally perceived to be a non-event, our data shows some significant changes in behavior by individual DNS clients that may have impacted end user queries. These analyses and techniques may be useful in planning and conducting future KSK rollovers.

Talk Duration 30 Minutes

Primary author

Duane Wessels (Verisign)


Wes Hardaker (USC/ISI) Taejoong Chung (Rochester Institute of Technology) Matthew Thomas (Verisign) Willem Toorop (NLnet Labs) Moritz Müller (SIDN) Dr Roland van Rijswijk-Deij (NLnet Labs)

Presentation materials

There are no materials yet.