Home / News

Unexpected Behaviour Observed With DNS Root Servers After Cryptographic Change

The DNS root servers were reported by Verisign to be under unexpected attack from name servers across the Internet following ICANN's recent changes to their cryptographic master keys. Kevin Murphy reporting in Domain Incite writes: "The company, which runs the A and J root servers, said it saw requests for DNSSEC data at the root increase from 15 million a day in October to 1.15 billion a day a week ago. The cause was the October 11 root Key Signing Key rollover, the first change ICANN had made to the 'trust anchor' of DNSSEC since it came online at the root in 2010."

Verisign's Principal Research Scientist at Verisign in his post Unexpected Effects of the 2018 Root Zone KSK Rollover, says: "March 22, 2019, saw the completion of the final important step in the Key Signing Key (KSK) rollover — a process which began about a year and half ago. What may be less well known is that post rollover, and until just a couple days ago, Verisign was receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers we operate."

With the removal of the revoked key, DNSKEY query rates are now returning to pre-revocation levels, says Verisign.

Editor's Note: The title of this post was edited to omit the previously misused phrase "dns root servers came under attack" as per feedback received from the community.

By CircleID Reporter – CircleID's internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


This clickbait title is false, misleading and By Stephane Bortzmeyer  –  Mar 28, 2019 1:33 am PDT

This clickbait title is false, misleading and irresponsible. There was no attack at all.

False By Chris Buijs  –  Mar 28, 2019 12:34 pm PDT


Add Your Comments

 To post your comments, please login or create an account.



Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO