On Tue, Dec 23, 2014 at 03:52:19PM +0800, scottjiang1...@hotmail.com <scottjiang1...@hotmail.com> wrote a message of 284 lines which said:
> When the resolver sends the DNSKEY RR query, irrespecitve of > keyrollover period, I think the response message should reply a KSK, > a ZSK No. Nothing in DNSSEC says you must have a KSK and a ZSK. See co.uk for a good example. > I get the response with one KSK, one ZSKs and two RRSIG(DNSKEY) > while we send DNSKEY RR query to comcast.com zone. Nothing strange, Comcast signs the DNSKEY set with both the KSK and the ZSK. That's legal. We do the same in .fr. > So, my question is that what is the exact result of DNSKEY RR query, All the results you mentioned are correct. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
