This web page is designed to test your network's ability to resolve domain names that have been signed with "large" DNSSEC keys. See the explanations below for additional information.

Test ID at

# Description KSKs ZSKs Signed

The tests provided on this web page were developed in 2016, in advance of two changes anticipated for the DNS root zone: (1) an increase in the size of the root zone Zone Signing Key (ZSK), and (2) a rollover of the root zone Key Signing Key (KSK).

The ZSK size was increased from 1024-bits to 2048-bits on October 1, 2016. Prior to that date, this page included tests for zones signed with 1024-bit ZSKs. Now that the ZSK length change is complete, those tests have been removed.

The root zone KSK rollover started in July 2017 when the new KSK was pre-published in the root zone, and ended in March 2019 when the old, revoked key was removed. Although the KSK rollover is complete, this web page remains active in hopes that it continues to be useful for testing large DNSSEC responses.

If you see failures for these tests, your DNS name server may not be able to receive large response messages. The organization or persons responsible for the operation of your name server should check its configuration and/or error logs. In order to receive large DNS responses, the name server may need to receive UDP fragments and/or DNS messages over TCP.

You may also find it helpful to load this page after entering your browser's developer mode and selecting the Network tab.

Note that the signed DNSKEY response sizes shown in the table above are larger than those for the root zone because the test zone names are longer than the root zone name.