In message <blu436-smtp80cd128fbfe6cac0489bbada...@phx.gbl>, "scottjiang1...@hotmail.com" writes: > Dear friends: > When the resolver sends the DNSKEY RR query, irrespecitve of keyrollover > period, I think the response message should reply a KSK, a ZSK and a > RRSIG(DNSKEY).
Well you are mistaken. Assuming there is a DNSKEY RRset, you can have from 1 DNSKEY to many DNSKEY records with one or many RRSIG records. You are *not* required to have a key with the SEP bit set. You are *not* required to have a key with the SEP bit cleared. You are *not* required to have a multiple DNSKEYS. For every DNSSEC algorithm in the parent DS RRset there needs to be a DNSKEY that matches the DS and of those DNSKEYS for every algorithm a RRSIG of DNSKEY RRset generated by one of those DNSKEYs. If this is no met then validation failures may result. > However, when I capture the package with tcpdump, the > response message is unanticipated. > > I get the response with one KSK two ZSKs and one RRSIGDNSKEYwhile we send > DNSKEY RR query to root. > For example, > > I get the response with one KSK one ZSKs and one RRSIGDNSKEYwhile we send > DNSKEY RR query to com zone. > For example, > > I get the response with one KSK one ZSKs and two RRSIGDNSKEYwhile we send > DNSKEY RR query to comcast.com zone. > For example, > . > So, my question is that what is the exact result of DNSKEY RR query, how > I calculate their message size? You question is like asking "how long is a bit of string". The message size will be anything up to 64k. > scottjiang1...@hotmail.com -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
