I think it is useful to know how long the DNS resolver process has been up, and/or how long the server running the DNS resolver has been up, when it is sending the sentinel queries.
That would allow us to detect if we are looking at spun up server instances and/or provisioned containers with old software stuck to KSK2010, versus old software running forever on an unmaintained server. There is one sentinel query that is supposed to be for something that does not exist: c. a third query name that is signed with a DNSSEC signature that cannot be validated (i.e. the corresponding RRset is not signed with a valid RRSIG record). How about using this query to also encode an uptime-processstartedtime value? Maybe with accurancy reduced to minutes. I think that would return valuable data. draft-ietf-dnsop-kskroll-sentinel-00 could also do a better job of descibing the client queries and the server replies better. Right now it seems to be rather handwavy with terms like "envisaged to use", instead of just properly defining the exact query. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop