On Fri, 1 Jun 2012, Alan Batie wrote: > When it comes to the DS records registered at the registrar, I'm not > sure where that comes from: the only way I can see to get it is to do a > DS query from the nameserver (and at least one document basically said > that). First, I'd like to know where it comes from, and second, it > seems much too small, given ksks are supposed to be bigger as a result > of being longer lived: > > raindrop.us. 1903 IN DS 41190 5 2 > C2927E697D868DB1AEF54642E9B59079CF5412AAA36846290AB20215 9CBAFBEA > > vs > > raindrop.us. 3600 IN DNSKEY 256 3 5 > AwEAAb3vNnkqkoG7brIDkPDSbnFDeFV2FmD+RktZFL3DDIIkM9Xkpker > sFTscUWFeta/DEBg8Jvgznyw6iiBCPob5Q9Vluv4mT+HNAm5F2W5wLww > FkJ8ia1xuZoAAl3jCHW3Cj5Dkkr0yVSSZrbORJ1/PnnKhb09o2LPjMr6 /hUjzlzV
You can use the dnssec-dsfromkey tool to generate the DS records (using the 257/KSK). The DS is smaller because it is a digest (hash) of the public key. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
