Unexpected Effects of the 2018 Root Zone KSK Rollover
4 APRIL 2019
March 22, 2019 saw the completion of the final important step in the Key Signing Key (KSK) rollover – a process which began about a year and half ago. What may be less well known is that post rollover, and until just a couple days ago, Verisign was receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers we operate.
In July 2017, a new root zone Domain Name System Security Extensions (DNSSEC) KSK was first published in the DNS. That is the point at which validating resolvers all over the internet could begin the process of automatically updating their DNSSEC trust anchor, and many did. According to the best available data at the time, however, a small percentage of validators were not automatically updated. This, among other factors, led Internet Corporation for Assigned Names and Numbers (ICANN) to postpone the rollover and study the situation.
The rollover resumed in 2018, and in October, the root zone’s DNSSEC keys were first signed with the new KSK. Those of us closely observing the rollover heard of only a very small number of problem reports affecting end users, albeit after a significant amount of study and end-user outreach by Verisign and others, and everyone agrees the successful rollover was a significant milestone. There was, however, observable change in traffic to the root name servers. As the graph below shows, the rate of queries for the root’s DNSKEY data increased by a factor of five. Just prior to the rollover, Verisign’s root servers received about 15 million such queries per day. After the rollover, it increased to about 75 million.