I thought that I need two DS records to deposit at my domain registrar. But one big dns provider just gave me one DS record. Verisign DNSSEC debugger says, everything is correct. But I am confused, because dnssec-keygen (DNSSEC key generation tool) gave me always two DS records. I have my doubts.
SnapOverflow
When you get 2
DSrecords, it is basically always because one of them contains a SHA-1 hash and the other one contains a SHA-256 hash. Look at the third integer in the textual representation of the DS record. 1 means SHA-1 and 2 means SHA-256.If both types exist, verifiers may use whichever one they like, though they should use the strongest one they understand. That means verifiers will use SHA-256 if they support it, or SHA-1 otherwise.
The SHA-1 version of the DS record need only be present to support older verifiers that do not understand SHA-256. Hopefully such verifiers are vanishingly rare, so you should be fine with just a SHA-256 DS record.
If you were giving only a SHA-1 record and no SHA-256 record, you should ideally ask for a SHA-256 one, but don't worry about it too much: for now SHA-1 is probably still acceptable.