If you add DNSKEY records dynamically to a zone, BIND 9.6 signs the zone (provided the private keys are available) and it also creates TYPE65535 records at the zone apex (one for each key). I had assumed that these were necessary in some way for subsequent RRSIG refreshing, etc. But ...
With BIND 9.6.1b1, I signed a new zone with dnssec-signzone (using lots of jitter so that signature expiry times were well distributed) and *then* added it to named.conf (with the private keys available, and allow-update not "none"). Named churned a bit, but did not create any TYPE65535 records. "Bother", I thought, "that probably means it's not going to refresh the RRSIGs as they approach expiry." But after leaving it for a bit, I found it was in fact refreshing them at the expected times after all, still with no TYPE65535 records being present. (And this state survives named being restarted.) So what are the TYPE65535 records actually for? -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
