Root DNSKEY Queries, To The Tune Of 75 Times Higher Following KSK Rollover: Verisign

Following the completion of the final step of the KSK rollover on 22 March this year, Verisign reported this week they’ve been seeing a significant increase in root DNSKEY queries up until a couple of days ago and queries have now returned to a normal number. But why Verisign is not yet able to explain.

In a post on the Verisign blog, Duane Wessels writes that Verisign have been recording post rollover and until just a couple days ago, they were receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers they operate.

Wessels goes on to write “In January of 2019, the root zone was published with the old KSK marked as ‘revoked.’ Marking the old KSK as ‘revoked’ tells validating resolvers that it should be removed as a trust anchor, since it will not ever be used again for generating DNSSEC signatures. Everyone involved expected this to be a non-event. However, we instead saw an even bigger increase in DNSKEY queries coming from a population of root server clients. As of March 21, 2019, Verisign’s root name servers receive about 1.15 billion DNSKEY queries per day, which is 75 times higher than pre-rollover levels and nearly 7 percent of our total steady state query traffic.”

“Unlike the first increase, which remained level throughout the months of October, November and December, the second increase exhibits a disturbing trend which continued to grow and grow. With the assistance of some root server operator colleagues, we are just beginning to understand the cause of these increases.

“On March 22, 2019, the old key (marked as revoked) was removed from the root zone. This took place according to the revised plan and schedule, in order to accommodate the root zone Zone Signing Key (ZSK) rollover taking place on April 1, 2019.

“We are pleased to report that, with the removal of the revoked key, DNSKEY query rates are now returning to pre-revocation levels. Thus, it would seem that the presence of the revoked key in the zone triggered some unexpected behavior in a population of validating resolvers.”

To explain the background of the KSK rollover, Wessels writes “In July 2017, a new root zone Domain Name System Security Extensions (DNSSEC) KSK was first published in the DNS. That is the point at which validating resolvers all over the internet could begin the process of automatically updating their DNSSEC trust anchor, and many did. According to the best available data at the time, however, a small percentage of validators were not automatically updated. This, among other factors, led Internet Corporation for Assigned Names and Numbers (ICANN) to postpone the rollover and study the situation.”

“The rollover resumed in 2018, and in October, the root zone’s DNSSEC keys were first signed with the new KSK. Those of us closely observing the rollover heard of only a very small number of problem reports affecting end users, albeit after a significant amount of study and end-user outreach by Verisign and others, and everyone agrees the successful rollover was a significant milestone. There was, however, observable change in traffic to the root name servers. As the graph below shows, the rate of queries for the root’s DNSKEY data increased by a factor of five. Just prior to the rollover, Verisign’s root servers received about 15 million such queries per day. After the rollover, it increased to about 75 million.”