Welcome to the Root Canary project

The Root Canary project is a joint project of seven partners: SURFnet, the University of Twente, Northeastern University, NLnet Labs, SIDN Labs, the RIPE NCC and ICANN. The goal of this project is to monitor and measure the rollover of the DNSSEC root Key Signing Key (KSK), that is taking placing from 2017 to early 2019.

Through this website, we provide information on our project, how our measurement works and pointers to additional resources about the root KSK rollover.

Go directly to:

RIPE Atlas measurement results

RIPE Atlas measurement live stream

Algorithm test

Latest news

More news items can be found on the News tab.


Note: this page only discusses those properties of DNSSEC that are relevant for the Root Canary project. For an in-depth overview of resources on DNSSEC, please visit the Internet Society's Deploy 360 website.

The DNS Security Extensions, or DNSSEC for short, add two much-needed security properties to the Domain Name System:

DNSSEC achieves these properties by using digital signatures, made using public key cryptography. In essence, DNSSEC turns the entire DNS into a Public Key Infrastructure (PKI), with the root of the DNS at the top of the hierarchy.

DNS resolvers that support DNSSEC validate the digital signatures in the DNS, to verify the authenticity and integrity of DNS responses. They do this along the so-called chain of trust. This chain of trust typically starts at the root zone of the DNS with the so-called Root Key Signing Key (or Root KSK for short).

Root KSK Rollover

The key that is currently used as Root KSK was introduced in July 2010, when the root zone of the DNS first deployed DNSSEC. Since then, this key has not been replaced. In 2017/2018, this key will be replaced by a new key for the first time, during the so-called Root KSK Rollover.

Potential Problems

Given that this is the first time the Root KSK is replaced, it is as yet uncertain what the impact of this event will be on DNSSEC-validating DNS resolvers across the Internet. While extensive testing has, of course, taken place, we will not know what the real-world effects are until the key rollover process actually starts. DNSSEC-validating resolvers may encounter a number of problems, in particular:

Goals of this Project

This project has two main goals. The first goal is to serve as a virtual canary in the coalmine, that signals problems DNSSEC-validating DNS resolvers may have during the Root KSK rollover process. The second goal is to perform comprehensive measurements of the global DNS resolver population during the entire Root KSK rollover process, from the introduction of the new key in July 2017 until the removal of the old key in March 2018. The results of these measurements can then be analysed after the process completes to draw lessons for future Root KSK rollover events.

The Root Canary project is a collaboration between the SURFnet, the University of Twente, Northeastern University, NLnet Labs, SIDN Labs, the RIPE NCC and ICANN.

For more information on the Root Canary project, please contact:

Roland van Rijswijk-Deij <> (University of Twente, SURFnet)

Click on "Start test" below to test which DS algorithms and DNSSEC signing algorithms are supported by the DNS resolver(s) configured on your system.

For more information please consult one of the following resources:

Last updated on September 18, 2017