Are the TYPE65535 RRs necessary?
Chris Thompson
cet1 at cam.ac.uk
Mon May 18 16:31:54 UTC 2009
If you add DNSKEY records dynamically to a zone, BIND 9.6 signs the
zone (provided the private keys are available) and it also creates
TYPE65535 records at the zone apex (one for each key). I had assumed
that these were necessary in some way for subsequent RRSIG refreshing,
etc. But ...
With BIND 9.6.1b1, I signed a new zone with dnssec-signzone (using
lots of jitter so that signature expiry times were well distributed)
and *then* added it to named.conf (with the private keys available,
and allow-update not "none"). Named churned a bit, but did not create
any TYPE65535 records. "Bother", I thought, "that probably means it's
not going to refresh the RRSIGs as they approach expiry." But after
leaving it for a bit, I found it was in fact refreshing them at the
expected times after all, still with no TYPE65535 records being present.
(And this state survives named being restarted.)
So what are the TYPE65535 records actually for?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list