I thought that I need two DS records to deposit at my domain registrar. But one big dns provider just gave me one DS record. Verisign DNSSEC debugger says, everything is correct. But I am confused, because dnssec-keygen (DNSSEC key generation tool) gave me always two DS records. I have my doubts.
Asked
Active
Viewed 763 times
1 Answers
5
When you get 2 DS records, it is basically always because one of them contains a SHA-1 hash and the other one contains a SHA-256 hash. Look at the third integer in the textual representation of the DS record. 1 means SHA-1 and 2 means SHA-256.
If both types exist, verifiers may use whichever one they like, though they should use the strongest one they understand. That means verifiers will use SHA-256 if they support it, or SHA-1 otherwise.
The SHA-1 version of the DS record need only be present to support older verifiers that do not understand SHA-256. Hopefully such verifiers are vanishingly rare, so you should be fine with just a SHA-256 DS record.
If you were giving only a SHA-1 record and no SHA-256 record, you should ideally ask for a SHA-256 one, but don't worry about it too much: for now SHA-1 is probably still acceptable.
Celada
- 6,060
- 1
- 20
- 17
-
Do I use the DS records of the KSK or ZSK keys? – user1091344 Oct 18 '14 at 18:59
-
The DS records belong to the KSK key. The tools like `dnssec-signzone` that handle the generation for you automatically should also handle this automatically. – Celada Oct 19 '14 at 19:26