Are the TYPE65535 RRs necessary?
Mark Andrews
Mark_Andrews at isc.org
Mon May 18 22:58:39 UTC 2009
In message <Prayer.1.3.1.0905181731540.10875 at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> If you add DNSKEY records dynamically to a zone, BIND 9.6 signs the
> zone (provided the private keys are available) and it also creates
> TYPE65535 records at the zone apex (one for each key). I had assumed
> that these were necessary in some way for subsequent RRSIG refreshing,
> etc. But ...
>
> With BIND 9.6.1b1, I signed a new zone with dnssec-signzone (using
> lots of jitter so that signature expiry times were well distributed)
> and *then* added it to named.conf (with the private keys available,
> and allow-update not "none"). Named churned a bit, but did not create
> any TYPE65535 records. "Bother", I thought, "that probably means it's
> not going to refresh the RRSIGs as they approach expiry." But after
> leaving it for a bit, I found it was in fact refreshing them at the
> expected times after all, still with no TYPE65535 records being present.
> (And this state survives named being restarted.)
>
> So what are the TYPE65535 records actually for?
>
There are several uses.
1. to tell named to restart adding/deleting signatures for the matching key
2. to tell the operator when a key has completed signing the zone so you can
know that you can delete another key, publish a DS for it, publish it as
a trust anchor, etc.
It's still experimental.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list