BIND-9.16.1 & KASP

Evan Hunt each at
Mon Apr 13 18:54:36 UTC 2020

On Mon, Apr 13, 2020 at 02:22:53PM +0200, Mark Elkins wrote:
> Question - What are the "TYPE65534" records? What are they saying? I am 
> using "DiG 9.16.1" so surprised it doesn't know.

This is a mechanism named uses to keep track of the status of zone
signing operations, so that if there's a crash or power outage before
signing is complete, it'll know which step it needs to resume on. To
see the status in a human-readable form, use "rndc signing -list <zone>".
If it says signing is complete, you're free to remove the records
with "rndc signing -clear all <zone>".

> My zones '$TTL' is 1200... so I would have thought the CDS record would 
> have appeared by now.
> I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I 
> thought the biggest delay factor is the zones $TTL, often set to one day.

I'm... not sure CDS is published automaitcally yet. I'd have to check to be
sure, but I think that's coming in a future release.

> Looks like the SOA Serial Number still needs to be maintained manually. 
> Was expecting a more OpenDNSSEC approach. Would love an automated 
> YYYYMMDDxx number - date it was last 'modified'. Would be perfect for 
> small zones that are rarely updated.

I think the zone option "serial-update-method date;" does this. (I haven't
tested it with dnssec-policy though.)

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list