Spurious "TYPE65534" at the end of a NSEC3, why?
Phil Mayers
p.mayers at imperial.ac.uk
Sun Feb 13 16:29:35 UTC 2011
On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote:
> On Sun, Feb 13, 2011 at 10:51:30AM +0000,
> Phil Mayers<p.mayers at imperial.ac.uk> wrote
> a message of 31 lines which said:
>
>> This is documented in the Bind ARM
>
> OK, thanks, I missed this section.
>
>> i.e. the *presence* of the record is normal.
>
> I'm not convinced (and the ARM is far from clear about it).
Well, you're correct that they are absent "most" of the time.
OTOH I have a zone (NSEC not NSEC3) which is managed by dynamic updates
currently has a TYPE65534 at the apex, and the NSEC record names the
TYPE65534 and it's RRSIG is valid - try:
dig +dnssec bar.ic.ac.uk
(assuming the TYPE65534 doesn't vanish... in the meantime)
IOW, it sounds like a bug in the code for NSEC3, because I think it
works for NSEC.
More information about the bind-users
mailing list