Automated Trust Anchor Update Testbed

The root zone Key Signing Key (KSK) is changing, or rolling, in the near future. Operators of recursive resolvers with DNSSEC validation enabled will need to ensure that their systems are updated with the new root zone KSK configured as a trust anchor before that date. If a recursive resolver supports RFC 5011, "Automated Updates of DNS Security (DNSSEC) Trust Anchors", and this feature is properly configured, the new KSK should automatically be installed as a trust anchor and DNSSEC validation should continue without problems.

If a validating resolver's implementation or configuration of the RFC 5011 automated trust anchor update protocol is incorrect for any reason, then its configuration might not be properly updated during the root zone KSK roll and resolution would fail after the roll.

This testbed allows operators of validating resolvers to test their implementation and confirm its ability to properly follow a KSK roll and update its trust anchor configuration.


Please read both of these pages before starting to use the testbed. This test tool assumes that you understand the upcoming KSK change, and at least some about RFC 5011.

Purpose of This Testbed

The test system described here allows the operator of a validating recursive resolver to test its support for the RFC 5011 automated trust anchor update protocol and therefore its readiness for the root zone KSK roll. The test operates in real time and should not affect the resolver's normal operation. The testbed works by starting a KSK roll in a new zone each week. These test zones are not used for any other purpose. For example, the current zone name is Because this zone is used only for the testbed and contains no names any user would ever resolve, it is safe to configure these tests on a production validating resolver. The result of the test will be either higher assurance that the server is working correctly, or tangible information about how the server may be misconfigured.

A new zone begins a KSK roll each week, so you can join at any point. The entire test takes about 45 days, but the most important results are available about 30 days after the test begins.

If running the test shows that your validating resolver is not properly configured, you can address any issues and run the test again, hopefully before the root zone KSK rollover. Further, ICANN wants to hear about any unsuccessful experiences you have with the testbed in order to help our data gathering during the root zone KSK roll process.

Brief Description of RFC 5011

RFC 5011 describes a protocol for updating trust anchors for DNSSEC. Its primary motivation is to make it easier to replace a KSK whose private key has been compromised, but it is also applicable to the situation where there is a desire to change the KSK for normal operational reasons.

In RFC 5011, the current trusted KSK signs a RRset that contains a new KSK so that the new KSK becomes trusted and is configured as a trust anchor. The new KSK is not trusted immediately: instead, there is a 30 day period (called the "hold-down time") when the new key is in preparation for acceptance. Only after the 30 days of continuous publication signed by the old KSK is the new KSK trusted.

Most current implementations of validating recursive resolvers implement RFC 5011. These include BIND version 9, Unbound, Knot DNS, and others. Note, however, that most of these packages allow you to either use RFC 5011 to do automatic updates, or to use manual configuration of trust anchors. If you configure your system to use manual configuration, this testbed will not help you test your implementation.

Participating in the Testing

To join the current test (which starts on each Sunday at 0001 UTC), click on the link at the bottom of this page. Joining entails joining a mailing list that tells you what steps to take at what times to perform the tests. Subscribing to the mailing list does not obligate you to anything; instead, it gives you instructions for configuring the current testbed zone's KSK as a trust anchor. The test zone's KSK will then be rolled and, if your resolver is correctly configured to run the RFC 5011 automated trust anchor update protocol, it will automatically track the KSK change.

When you join, we will email you detailed instructions for each step, as well as telling you what to watch for and when to look. After that, you will get messages at least once a week explaining the current state of the test you are in, and the date of the next interesting step in the test.

We won't use your email for any other purpose than this testbed, and we will delete the list of addresses that participated in the testbed when we close down the system.

In addition, we want to hear about any unsuccessful experiences to help our data gathering during the real KSK roll. This will help us later assist other operators who might also encounter the same problems you did.

How To Join

To join the testbed for the current zone:

Click Here


You can reach a human to ask questions about the testbed at

ICANN logo