[ksk-rollover] Increased DNSKEY queries to the root servers since the KSK-2010 revocation

Paul Hoffman paul.hoffman at icann.org
Tue Jan 15 18:19:07 UTC 2019

Greetings again. Soon after the new DNSKEY RRset was published at 1400 UTC on 11 January 2019 with KSK-2010 revoked, there was a noticeable increase in ./IN/DNSKEY queries sent to root servers. While we have heard of no DNS service interruption for users, the average DNSKEY query load over all servers has more than doubled to between 2% and 2.5%. The increase was quite varied between the different root servers; some experienced almost no increase at all, while others experience an increase of up to 5%.
Although some resolvers are newly making rapid queries to the root servers for the root’s DNSKEY RRset, we see no indication that those resolvers are failing to answer DNS queries from their customers. We will continue to monitor the situation.
The ICANN organization is evaluating the traffic at the L-root to try to characterize the resolvers that are rapidly asking for the root’s DNSKEY RRset. From this, we can determine if we are able to help the operators of those resolvers to remediate this anomalous behavior. We will also share data with other root server operators who are conducting similar investigations. The results will be reported when our analysis is complete.
--Paul Hoffman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3935 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190115/541d9723/smime.p7s>

More information about the ksk-rollover mailing list