I think it is useful to know how long the DNS resolver process has been
up, and/or how long the server running the DNS resolver has been up,
when it is sending the sentinel queries.
That would allow us to detect if we are looking at spun up server
instances and/or provisioned containers with old software stuck to
KSK2010, versus old software running forever on an unmaintained server.
There is one sentinel query that is supposed to be for something that
does not exist:
c. a third query name that is signed with a DNSSEC signature that
cannot be validated (i.e. the corresponding RRset is not signed
with a valid RRSIG record).
How about using this query to also encode an uptime-processstartedtime value?
Maybe with accurancy reduced to minutes. I think that would return
valuable data.
draft-ietf-dnsop-kskroll-sentinel-00 could also do a better job of
descibing the client queries and the server replies better. Right now
it seems to be rather handwavy with terms like "envisaged to use",
instead of just properly defining the exact query.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
