Home / News I have a News Tip

Unexpected Behaviour Observed With DNS Root Servers After Cryptographic Change

The DNS root servers were reported by Verisign to be under unexpected attack from name servers across the Internet following ICANN's recent changes to their cryptographic master keys. Kevin Murphy reporting in Domain Incite writes: "The company, which runs the A and J root servers, said it saw requests for DNSSEC data at the root increase from 15 million a day in October to 1.15 billion a day a week ago. The cause was the October 11 root Key Signing Key rollover, the first change ICANN had made to the 'trust anchor' of DNSSEC since it came online at the root in 2010."

Verisign's Principal Research Scientist at Verisign in his post Unexpected Effects of the 2018 Root Zone KSK Rollover, says: "March 22, 2019, saw the completion of the final important step in the Key Signing Key (KSK) rollover — a process which began about a year and half ago. What may be less well known is that post rollover, and until just a couple days ago, Verisign was receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers we operate."

With the removal of the revoked key, DNSKEY query rates are now returning to pre-revocation levels, says Verisign.

Editor's Note: The title of this post was edited to omit the previously misused phrase "dns root servers came under attack" as per feedback received from the community.

Follow CircleID on

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

This clickbait title is false, misleading and Stephane Bortzmeyer  –  Mar 28, 2019 12:33 AM PST

This clickbait title is false, misleading and irresponsible. There was no attack at all.

False Chris Buijs  –  Mar 28, 2019 11:34 AM PST


To post comments, please login or create an account.



IP Addressing

Sponsored byAvenue4 LLC


Sponsored byVerisign

DNS Security

Sponsored byAfilias


Sponsored byThreat Intelligence Platform


Sponsored byWhoisXML API

Brand Protection

Sponsored byAppDetex

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias