On Fri, Mar 2, 2012 at 11:17 PM, dE . <de.tec...@gmail.com> wrote: > On 02/18/12 00:36, Gaurav kansal wrote: > > > > > > Firstly, where do we get the public key for the DS records? > > Can you clarify your question??? > > > > Second, why do I get multiple DS records as response? – > > You will always get a 2 DS Records in response. One for SHA-1 and second for > SHA-256. > > > I was reading the RFCs, but according to that, there's no provision of > SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman > (appendix A1)
And RFC4024 is seven years old. No SHA256 back then. See RFC6014 which allows IANA to assign new algorithm numbers as needed without a new RFC. SHA256 is the current preferred algorithm, while SHA-1 is still routinely used as some DNSSEC software may not support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC software that does not support SHA256 at this time, but I suspect someone, somewhere is running it. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
