This web page is designed to test your network's ability to resolve domain names that have been signed with "large" DNSSEC keys. See the explanations below for additional information.

Test ID at

# Description KSKs ZSKs Signed

Larger ZSK

The size of the root zone Zone Signing Key (ZSK) was increased on October 1, 2016. Prior to that date, this page included tests for zones signed with 1024-bit ZSKs. Now that the ZSK length change is complete, those tests have been removed.

KSK Rollover

ICANN is progressing with plans to toll the root zone Key Signing Key (KSK) in 2017. Tests 1–4 above simulate a KSK rollover. In particular, they simulate the period during which the outgoing KSK would be published with its revoke bit set, alongside the new KSK.


  1. If you see failures for these tests, your DNS name server may not be able to receive large response messages. The organization or persons responsible for the operation of your name server should check its configuration and/or error logs. In order to receive large DNS responses, the name server may need to receive UDP fragments and/or DNS messages over TCP.

  2. You may also find it helpful to load this page after entering your browser's developer mode and selecting the Network tab.

  3. The signed DNSKEY response sizes shown in the table above are larger than those for the root zone because the test zone names are longer than the root zone name.