dE . <de.tec...@gmail.com> wrote: > Firstly, where do we get the public key for the DS records?
A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 > Why do I get multiple RRSIG records from some servers? - When you ask a GTLD server for the yahoo.com delegation NS records, you also get two NSEC3 records that bracket the yahoo.com delegation to prove it is insecure (no DS record), and an RRSIG record for each NSEC3 record. > Do we get a RRSIG for each RR retrieved? No, one per RRset, where an RRset is all the records with the same name, class, and type. > Lastly, what's the format for the output dis DNSSEC records? See RFC 4034. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Shannon, Rockall, Malin, Hebrides, Bailey: Southwest, veering northwest, 6 to gale 8, occasionally severe gale 9, except in Shannon and Malin. Very rough or high, occasionally very high in Rockall and Bailey, but rough at first in Shannon. Rain then squally snow showers. Moderate, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users