Paul asked me to drop a note to the list describing a few techniques that I think might be used to determine whether a querying entity supports 5011.  This email describes detection through the use of the REVOKE bit.   (Note that I haven't tested any of these - but they should work 1) Assume that non-5011 entities silently ignore the revoke bit 2) Per 5011, the revoke bit applies to ALL DNSKEY records, not just the root KSKs and you're not allowed to trace a chain of trust through a revoked key. 3) In a non-root zone, set up a delegations to two zones - "valid" and "invalid". 4) Set the valid zone up with the normal KSK/ZSK pair in the DNSKEY RRSet.  Set the invalid zone up but with the ZSK having the revoke bit set.  Create the RRSigs as appropriate and remember to have the ZSK in the invalid zone also sign the DNSKey RRSet (to cause the key to be revoked). 5) Seed both zones with various A/AAAA and CNAME records. 6) Place web servers at the location pointed to by each of the A/AAAA RRSets and at a place pointed to by the CNAME record. 7) Seed a popular web page (get Google or some other high traffic name to help) with URLs that point to items (say a JPG) served by each of the web servers - avoid having anything else at those servers but these items. 8) Collect logs on the DNS server and on the web servers over a period of a month or so. 9) Do the analysis.   Items retrieved from the server pointed to by the A/AAAA RRSet signed by the revoked ZSK are probably being pulled by clients served by resolvers that don't do 5011. Correlate the times of DNS query with times of web queries - you'll mostly pull up the first query from a given resolver before it caches the answer. Pairing an invalid URL (in the sense that DNSSEC should prevent its retrieval) with a valid URL allows for a check against false negatives. If the correlation by log analysis doesn't work - have the dns server return dynamic addresses for the web server that encode the resolver's identity in some manner.  (For example, by twiddling the CNAME so that a browser generates an SNI with the resolver identity encoded for a TLS connection). So: Client that sees web pages pointed to by both valid and invalid zones is probably being served by a non-5011 resolver. Client that sees only web pages pointed to by the valid zone is probably being served by a 5011 resolver. Client that sees either neither of the web pages or only the invalid web page is probably being served by a broken resolver. Mike