BIND-9.16.1 & KASP

Mark Elkins mje at
Mon Apr 13 12:22:53 UTC 2020

Hi all,

I have been experimenting with BIND-9.16.1 & KASP. So far - it really 
looks great and it should greatly simplify DNSSEC for the masses.

My named.conf entry:-

dnssec-policy "ecdsa256-policy" {
     dnskey-ttl 3600;
     keys {
         ksk lifetime unlimited algorithm ecdsa256;
         zsk lifetime 34d algorithm ecdsa256;

zone "" {
         type master;
         file "/etc/ns.d/pri/";
         key-directory "/etc/ns.d/pri/";
         dnssec-policy "ecdsa256-policy";

My experimental zone ( is still waiting the initial period of 
(I think) about 25 hours since setup so no CDS records in the zone yet - 
but I do have two new unknown records. From the command:-
dig @localhost axfr | grep -v RRSIG        1200    IN    SOA 2018091104 86400 10800 604800 600        0    IN    TYPE65534 \# 5 0D0D740001        0    IN    TYPE65534 \# 5 0D1BDA0001        3600    IN    DNSKEY    256 3 13 
pgljMfMC5PIfNeLp+ZZKH0D0nJVSGg==        3600    IN    DNSKEY    257 3 13 
jKcqBWrSkoiKbxI2IcbSECynYrehAA==        1200    IN    A

In my own web management interface, it collects the KSK DNSKEY and 
generates its own CDS - which it then EPP's up to the parent. That all 
got done late last night - so the zone is secure (asking - AD is 
set and correct data returns).

Question - What are the "TYPE65534" records? What are they saying? I am 
using "DiG 9.16.1" so surprised it doesn't know.

My zones '$TTL' is 1200... so I would have thought the CDS record would 
have appeared by now.
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I 
thought the biggest delay factor is the zones $TTL, often set to one day.

Looks like the SOA Serial Number still needs to be maintained manually. 
Was expecting a more OpenDNSSEC approach. Would love an automated 
YYYYMMDDxx number - date it was last 'modified'. Would be perfect for 
small zones that are rarely updated.


Mark James ELKINS  -  Posix Systems - (South) Africa
mje at       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list