Spurious "TYPE65534" at the end of a NSEC3, why?

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Feb 13 10:40:44 UTC 2011

On Sun, Feb 13, 2011 at 11:07:31AM +0100,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 35 lines which said:

> Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and
> the AEP keyper HSM), with DNSSEC enabled, dynamically signing
> records. 
> at least in the second case, it was when updating a DNSKEY record
> (an old ZSK was retired).

I was not very clear, sorry: all provisioning is done (DNSKEY
included) with dynamic updates. BIND is therefore responsible for
keeping the NSEC3 chain (we use opt-out, by the way), and for signing,
although the actual crypto is done by an AEP Keyper HSM.

More information about the bind-users mailing list