Are the TYPE65535 RRs necessary?

Mark Andrews Mark_Andrews at isc.org
Mon May 18 23:19:59 UTC 2009 

In message <200905182258.n4IMwd7k079733 at drugs.dv.isc.org>, Mark Andrews writes:
> 
> In message <Prayer.1.3.1.0905181731540.10875 at hermes-2.csi.cam.ac.uk>, Chris T
> ho
> mpson writes:
> > If you add DNSKEY records dynamically to a zone, BIND 9.6 signs the
> > zone (provided the private keys are available) and it also creates
> > TYPE65535 records at the zone apex (one for each key). I had assumed
> > that these were necessary in some way for subsequent RRSIG refreshing,
> > etc. But ...
> > 
> > With BIND 9.6.1b1, I signed a new zone with dnssec-signzone (using
> > lots of jitter so that signature expiry times were well distributed)
> > and *then* added it to named.conf (with the private keys available,
> > and allow-update not "none"). Named churned a bit, but did not create
> > any TYPE65535 records. "Bother", I thought, "that probably means it's
> > not going to refresh the RRSIGs as they approach expiry." But after
> > leaving it for a bit, I found it was in fact refreshing them at the
> > expected times after all, still with no TYPE65535 records being present.
> > (And this state survives named being restarted.)
> > 
> > So what are the TYPE65535 records actually for?
> > 
> There are several uses.
> 1. to tell named to restart adding/deleting signatures for the matching key
> 2. to tell the operator when a key has completed signing the zone so you can
>    know that you can delete another key, publish a DS for it, publish it as
>    a trust anchor, etc.
> It's still experimental.

	The record's current layout is:

                buf[0] = dnskey.algorithm;
                buf[1] = (keyid & 0xff00) >> 8;
                buf[2] = (keyid & 0xff);
                buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
                buf[4] = 0;

	When the last octet is non-zero the operation is complete.
	If the record relates to a key removal then the TYPE65535
	record will be removed when the change completes.

	Mark

> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list