[dns-operations] What is the exact response?

Tue Dec 23 13:15:22 UTC 2014

On Tue, Dec 23, 2014 at 03:52:19PM +0800,
 scottjiang1415 at hotmail.com <scottjiang1415 at hotmail.com> wrote 
 a message of 284 lines which said:

> When the resolver sends the DNSKEY RR query, irrespecitve of
> keyrollover period, I think the response message should reply a KSK,
> a ZSK

No. Nothing in DNSSEC says you must have a KSK and a ZSK. See co.uk
for a good example.

> I get the response with one KSK， one ZSKs and two RRSIG（DNSKEY）
> while we send DNSKEY RR query to comcast.com zone.

Nothing strange, Comcast signs the DNSKEY set with both the KSK and the
ZSK. That's legal. We do the same in .fr.

> So, my question is that what is the exact result of DNSKEY RR query,

All the results you mentioned are correct.