Automated Trust Anchor Update Testbed

The root zone Key Signing Key (KSK) is changing, or rolling, on 11 October 2017. Operators of recursive resolvers with DNSSEC validation enabled will need to ensure that their systems are updated with the new root zone KSK configured as a trust anchor before that date. If a recursive resolver supports RFC 5011, "Automated Updates of DNS Security (DNSSEC) Trust Anchors", and this feature is properly configured, the new KSK should automatically be installed as a trust anchor and DNSSEC validation should continue without problems.

If a validating resolver's implementation or configuration of the RFC 5011 automated trust anchor update protocol is incorrect for any reason, then its configuration might not be properly updated during the root zone KSK roll and resolution would fail after 11 October 2017.

Because it is less than 30 days before the 11 October rollover date, this testbed is no longer useful as a preparation for that rollover. Instead, you need to check your configuration and see whether you are ready. Instructions for checking your current trust anchors can be found at, and instructions for updating to the current trust anchors can be found at

General information about the KSK rollover can be found at


You can reach a human to ask questions about the testbed at

ICANN logo