Spurious "TYPE65534" at the end of a NSEC3, why?
Mark Andrews
marka at isc.org
Mon Feb 14 02:50:49 UTC 2011
In message <4D5806EF.7000505 at imperial.ac.uk>, Phil Mayers writes:
> On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote:
> > On Sun, Feb 13, 2011 at 10:51:30AM +0000,
> > Phil Mayers<p.mayers at imperial.ac.uk> wrote
> > a message of 31 lines which said:
> >
> >> This is documented in the Bind ARM
> >
> > OK, thanks, I missed this section.
> >
> >> i.e. the *presence* of the record is normal.
> >
> > I'm not convinced (and the ARM is far from clear about it).
>
> Well, you're correct that they are absent "most" of the time.
>
> OTOH I have a zone (NSEC not NSEC3) which is managed by dynamic updates
> currently has a TYPE65534 at the apex, and the NSEC record names the
> TYPE65534 and it's RRSIG is valid - try:
>
> dig +dnssec bar.ic.ac.uk
>
> (assuming the TYPE65534 doesn't vanish... in the meantime)
>
> IOW, it sounds like a bug in the code for NSEC3, because I think it
> works for NSEC.
I could reproduce it in 9.7.1-P1 by just adding a DNSKEY record at
the apex but not in 9.7.2. There were a number of NSEC3 fixes
between 9.7.1 and 9.7.2. Upgrade.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list