[ksk-change] How to tell which trust anchors are present at a DNS resolver.

Evan Hunt each at isc.org
Tue Mar 24 21:51:36 UTC 2015

On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
> One of the discussions we've been having about 5011 roll overs is that 
> there's no way to tell whether or not they are "taking" because there's 
> no way to check the resolvers externally.

Why do we need to check externally?  (For that matter what exactly do
you mean by "externally"? Most resolvers won't answer queries from outside
their local networks anyway.)

> Querying a server with QNAME="." and QTYPE="DS" and with no recursion, 
> gets you a set of DS records that represent the trust anchors for that 
> server for the root.

Seems weird but harmless. But I don't understand the use case. I can
get this information from a BIND resolver with an "rndc" command, and I
would guess there are equivalent mechanisms in other implementations.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the ksk-rollover mailing list