In message <can6yy1vu9ecabvindlmpufqfjj47jq_beejdwz8d-jsxvdo...@mail.gmail.com> , Kevin Oberman writes: > On Fri, Mar 2, 2012 at 11:17 PM, dE . <de.tec...@gmail.com> wrote: > > On 02/18/12 00:36, Gaurav kansal wrote: > > > > > > > > > > > > Firstly, where do we get the public key for the DS records? > > > > Can you clarify your question??? > > > > > > > > Second, why do I get multiple DS records as response? =96 > > > > You will always get a 2 DS Records in response. One for SHA-1 and second = > for > > SHA-256. > > > > > > I was reading the RFCs, but according to that, there's no provision of > > SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman > > (appendix A1) > > And RFC4024 is seven years old. No SHA256 back then. > > See RFC6014 which allows IANA to assign new algorithm numbers as > needed without a new RFC. SHA256 is the current preferred algorithm, > while SHA-1 is still routinely used as some DNSSEC software may not > support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I > suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC > software that does not support SHA256 at this time, but I suspect > someone, somewhere is running it.
Additionally it helps to read the correct table, "A.2. DNSSEC Digest Types". SHA1 and SHA256 refer to digest types. RSAMD5 (not just MD5) and Diffie-Hellman are DNSSEC Algorithm Types. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users