[dns-operations] What is the exact response?

[Mark Andrews]

In message <BLU436-SMTP80CD128FBFE6CAC0489BBADA570 at phx.gbl>, "scottjiang1415 at hotmail.com" writes:
> Dear friends:
> When the resolver sends the DNSKEY RR query, irrespecitve of keyrollover 
> period, I think the response message should reply a KSK, a ZSK and a 
> RRSIG(DNSKEY).

Well you are mistaken.  Assuming there is a DNSKEY RRset, you can
have from 1 DNSKEY to many DNSKEY records with one or many RRSIG
records.

You are *not* required to have a key with the SEP bit set.
You are *not* required to have a key with the SEP bit cleared.
You are *not* required to have a multiple DNSKEYS.

For every DNSSEC algorithm in the parent DS RRset there needs to
be a DNSKEY that matches the DS and of those DNSKEYS for every
algorithm a RRSIG of DNSKEY RRset generated by one of those DNSKEYs.
If this is no met then validation failures may result.

> However, when I capture the package with tcpdump, the 
> response message is unanticipated. 
>
> I get the response with one KSK two ZSKs and one RRSIGDNSKEYwhile we send 
> DNSKEY RR query to root.
> For example, 
>  
> I get the response with one KSK one ZSKs and one RRSIGDNSKEYwhile we send 
> DNSKEY RR query to com zone.
> For example,
>  
> I get the response with one KSK one ZSKs and two RRSIGDNSKEYwhile we send 
> DNSKEY RR query to comcast.com zone.
> For example,
>  .
> So, my question is that what is the exact result of DNSKEY RR query, how 
> I calculate their message size?

You question is like asking "how long is a bit of string".

The message size will be anything up to 64k.

> scottjiang1415 at hotmail.com

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org