* Charles N. Wyble:
How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using?
For now, running (with a real resolver address instead of 192.0.2.1) dig @192.0.2.1 $RANDOM. +dnssec and checking if a certain percentage of the responses include DNSSEC data. This means that your resolver can get data from DURZ-enabled servers, so you should be fine when the root is signed. If your resolvers are not security-aware, use dig @192.0.2.1 . NSEC dig @192.0.2.1 . RRSIG dig @192.0.2.1 . DNSKEY but you can run this variant of the test only once per day. If you never, ever get any DNSSEC data for these queries, you will very likely have a problem once all root servers have switched to serving DURZ (and later DNSSEC) data.
It seems like this is something that will become a front and center issue for help desks everywhere pretty quick. :)
Why do you think so? Would you even notice if your webmail provider switches to HTTPS by default (or back to HTTP)?