BIND-9.16.1 & KASP

Mark Andrews marka at
Mon Apr 13 23:00:03 UTC 2020

> On 14 Apr 2020, at 04:54, Evan Hunt <each at> wrote:
> On Mon, Apr 13, 2020 at 02:22:53PM +0200, Mark Elkins wrote:
>> Question - What are the "TYPE65534" records? What are they saying? I am 
>> using "DiG 9.16.1" so surprised it doesn't know.
> This is a mechanism named uses to keep track of the status of zone
> signing operations, so that if there's a crash or power outage before
> signing is complete, it'll know which step it needs to resume on. To
> see the status in a human-readable form, use "rndc signing -list <zone>".
> If it says signing is complete, you're free to remove the records
> with "rndc signing -clear all <zone>”.

And the gory details from the ARM.

5.9.4. Private-type records

The state of the signing process is signaled by private-type records (with a default type value of 65534). When signing is complete, these records will have a nonzero value for the final octet (for those records which have a nonzero initial octet).

The private type record format: If the first octet is non-zero then the record indicates that the zone needs to be signed with the key matching the record, or that all signatures that match the record should be removed.

algorithm (octet 1)

key id in network order (octet 2 and 3)

removal flag (octet 4)

complete flag (octet 5)

Only records flagged as “complete” can be removed via dynamic update. Attempts to remove other private type records will be silently ignored.

If the first octet is zero (this is a reserved algorithm number that should never appear in a DNSKEY record) then the record indicates changes to the NSEC3 chains are in progress. The rest of the record contains an NSEC3PARAM record. The flag field tells what operation to perform based on the flag bits.





Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at

More information about the bind-users mailing list