[ksk-change] How to tell which trust anchors are present at a DNS resolver.

Michael StJohns msj at nthpermutation.com
Tue Mar 24 20:25:04 UTC 2015

One of the discussions we've been having about 5011 roll overs is that 
there's no way to tell whether or not they are "taking" because there's 
no way to check the resolvers externally.

I was looking at various possibilities including locally significant RRs 
that could be queried to , but nothing clicked.

After a beer with Scott Rose - we came up with the following convention:

Querying a server with QNAME="." and QTYPE="DS" and with no recursion, 
gets you a set of DS records that represent the trust anchors for that 
server for the root.

This would have to be implemented, but given that I think it may take 2 
years to get the rollover done, that may not be a problem.

Comments on this approach?  (Note comments of "this won't work because 
its too late" are understood and ignored).  What we;re looking for are 
comments on whether the convention has bad side effects or would be 
difficult to implement correctly.


More information about the ksk-rollover mailing list