5011 defines a very specific timing domain for (see section 2.3 of RFC5011) doing refresh of the trust point key RRSET and that active refresh is both mandatory and easily distinguished from normal dns cache timeout/requery intervals.  One possible way of identifying 5011 resolvers would be to do timing analysis on the root server logs. Specifically: 0) Time sync all of the roots. 1) Aggregate all the logs from all root servers for a 30 day period. 2) Sort by resolver IP and timestamp.  group by resolver IP. 3) For each resolver, calculate the inter-arrival interval times between queries and compare that to the predicted/configured 5011 values.  A 5011 compliant resolver that's also caching should be querying the root about 1/2 the TTL of the dnskey RRSet. Again, haven't tested this and implementers may have taken liberty with the refresh protocol, but its a place to start.  And yes, I know this is a massive data set to wander through.... Mike