Các giao thức DNS hoạt động trên cơ sở truy vấn / trả lời. Một khách hàng gửi một truy vấn đến máy chủ và máy chủ trả lời nó. Giao thức DNS sử dụng tên nén để làm cho DNS gói dữ liệu nhỏ gọn nhất có thể. Giao thức DNS là một giao thức lớp ứng dụng | Chapter 3 8lSc DACJGlTaXBkRP iNkjyrGU w29FTH3zZ4ahEk26 JvxtEUhWDvaqJYO6s8n2N2RqR Qhd08UsvwLyCEshlff BqPtFMzm lvJf TB key id 3719 SIG kEy 3 2 259200 20010607033618 20010601084258 3719 . BHrEtaQBiMpVRxVQgl3i4Nf7LAPXfftgFiqH6EGl64Fp BhuuVu GipM Note that the KEY record has not changed except the key ID derived from the key value. Also note the SIG record that contains the following items in the generated file The signed record type is the KEY . a KEY record is signed Algorithm 3 . DSA The label field contains 2 since the DNS name of company .com consists of two chains . the company chain and the com chain The original TTL is 2 59200 The signature expires on 20010607033618 . June 7 2001 at 03 36 18 UTC The signature is valid until 2001106010842 58 . June 1 2001 at 08 42 58 UTC The key ID is 3719. The signature was created by company. com Similarly the department . key can be signed as well dnssec-makekeyset -t 259200 -e 500000 . 003 23457 thus creating the keyset-department .company. com. file containing the relevant digital signature ORIGIN . TTL 259200 3 days IN KEY 256 3 3 BP lDE7w5LpEr7djd26pQGd6wctJ 8alCq1BMuCupKl0 0CNPVDR64sHwPionq3Q07t884DeA9vOb4b3k14daZmBR KINfqvBF hi ntoTqJH2jENUsLxNk23CTBgi2fIQuZbKZ XSdian4GUGGMQjFj df8VslHLNc0YaWB4hXqfZuQRRgbW UFA4CZX0SgSOpNAm4h6jk7S1qnv8EL MUdnvOg3wr82q j7maxAdEPOY5Q6f0Rlj QHEsl6xuGoWYEjYmyGlH r9r N0KLxf904XesziZr3lloPnuXTC L03gA60VTJYYQXeu CGldjcLP6AK2rm16svx sTM v FfSdl7pkqBOQoq28bf d3qgRioj FlWbeBhk14v jBn5lNbwxcErGmKXtdbplGHxD ukSykxrQBZNRNmG8 key id 23457 SIG KEY 3 3 259200 20010607040154 20010601090834 23457 . BAre8ynW1PvA version 6hhe69mbVmAGm24dxwJUqcpHE2PvXwq V23HHqZWQo The signature can be sent to the administrator of the higher domain . company .com. The higher-level domain administrator has a tool for signing keys from subordinate domains dnssec-signkey . . 003 .