This web page is designed to test your network's ability to resolve domain names that have been signed with "large" DNSSEC keys. See the explanations below for additional information.

Test ID at

# Description KSKs ZSKs Signed

Larger ZSK

The size of the root zone Zone Signing Key (ZSK) is scheduled to be increased on October 1, 2016. Tests 1–6 above simulate a larger ZSK. If you see "FAIL" for any of these tests, then you might have difficulty resolving domain names when the root zone ZSK size increases.

KSK Rollover

It is possible that the root zone Key Signing Key (KSK) will be rolled over within the next couple of years. Tests 7–9 above simulate a KSK rollover. In particular, they simulate the period during which the outgoing KSK would be published with its revoke bit set, alongside the new KSK.


  1. If you see failures for these tests, your DNS name server may not be able to receive large response messages. The organization or persons responsible for the operation of your name server should check its configuration and/or error logs. In order to receive large DNS responses, the name server may need to receive UDP fragments and/or DNS messages over TCP.

  2. You may also find it helpful to load this page after entering your browser's developer mode and selecting the Network tab.

  3. The signed DNSKEY response sizes shown in the table above are larger than those for the root zone because the test zone names are longer than the root zone name.