Spurious "TYPE65534" at the end of a NSEC3, why?

Phil Mayers p.mayers at imperial.ac.uk
Sun Feb 13 11:01:48 UTC 2011

On 02/13/2011 10:40 AM, Stephane Bortzmeyer wrote:
> On Sun, Feb 13, 2011 at 11:07:31AM +0100,
>   Stephane Bortzmeyer<bortzmeyer at nic.fr>  wrote
>   a message of 35 lines which said:
>> Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and
>> the AEP keyper HSM), with DNSSEC enabled, dynamically signing
>> records.
> ...
>> at least in the second case, it was when updating a DNSKEY record
>> (an old ZSK was retired).
> I was not very clear, sorry: all provisioning is done (DNSKEY
> included) with dynamic updates. BIND is therefore responsible for
> keeping the NSEC3 chain (we use opt-out, by the way), and for signing,
> although the actual crypto is done by an AEP Keyper HSM.

The zone at the moment seems to be signed with NSEC; are you trying to 
perform an online transition from NSEC to NSEC3 via dynamic update?

More information about the bind-users mailing list