On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
One of the discussions we've been having about 5011 roll overs is that there's no way to tell whether or not they are "taking" because there's no way to check the resolvers externally.
Why do we need to check externally? (For that matter what exactly do you mean by "externally"? Most resolvers won't answer queries from outside their local networks anyway.)
Querying a server with QNAME="." and QTYPE="DS" and with no recursion, gets you a set of DS records that represent the trust anchors for that server for the root.
Seems weird but harmless. But I don't understand the use case. I can get this information from a BIND resolver with an "rndc" command, and I would guess there are equivalent mechanisms in other implementations. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.