* Phil Regnauld:
Fair enough. Some simple "check your DNS reply size test [what is this ?]" page ought to be set up, with a simple explanagtion. "checkmydns.org" is available. If I get 5 minutes... :)
Reply sizes are a red herring. You need something that looks at the result of ./IN/DNSKEY, ./IN/RRSIG, ./IN/NSEC. At least one of these queries should return data, some of the time. (Unfortunately, the test is probabilistic.) Then you know that your resolver can receive data from the signed root and will not cease to work when all the roots serve the signed zone. Other tests can't tell you that. If your resolver is DNSSEC-aware, you can force cache misses by using random query names with a non-existing TLD. This variant of the test is much easier to carry out.