.@ Tony Finch – blog

ICANN are running a consultation on their plans for replacing the DNSSEC root key. I wondered if there was any way to be more confident that the new key is properly trusted before the old key is retired. My vague idea was to have a test TLD (along the lines of the internationalized test domains) whose delegation is only signed by the new root key, not the normal zone-signing keys used for the production TLDs. However this won't provide a meaningful test: the prospective root key becomes trusted because it is signed by the old root key, just like the zone-signing keys that sign the rest of the root zone. So my test TLD would ultimately be validated by the old root key; you can't use a trick like this to find out what will happen when the old key is removed.

So it looks like people who run validating resolvers will have to use some out-of-band diagnostics to verify that their software is tracking the key rollover correctly. In the case of BIND, I think the only way to do this currently is to cat the managed-keys.bind pseudo-zone, and compare this with the root DNSKEY RRset. Not user-friendly.