Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover

Moritz Müller, Matthew Thomas, Duane Wessels, Wes Hardaker, Taejoong Chung, Willem Toorop, Roland van Rijswijk-Deij

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

5 Citations (Scopus)
33 Downloads (Pure)


The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, "an overwhelming success" and during the rollover they detected "no significant outages".

In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.
Original languageEnglish
Title of host publicationIMC '19
Subtitle of host publicationProceedings of the Internet Measurement Conference
PublisherAssociation for Computing Machinery
Number of pages14
ISBN (Electronic)9781450369480
ISBN (Print)978-1-4503-6948-0
Publication statusPublished - 21 Oct 2019
EventInternet Measurement Conference, IMC 2019 - Koninklijk Instituut voor de Tropen, Amsterdam, Netherlands
Duration: 21 Oct 201923 Oct 2019


ConferenceInternet Measurement Conference, IMC 2019
Abbreviated titleIMC
Internet address


  • Cybersecurity


Dive into the research topics of 'Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover'. Together they form a unique fingerprint.

Cite this