On 02/13/2011 10:07 AM, Stephane Bortzmeyer wrote:
Note the TYPE65534, which I cannot explain. Greping bind-users
archives, or googling, reveal that other persons saw them but I did
not find a final explanation.
This is documented in the Bind ARM (at least, the one that comes with
the 9.8 beta). See Chapter 4, "Private-type records. Basically they
store signing process state.
i.e. the *presence* of the record is normal.
When this happens, the signature:
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN RRSIG NSEC3 8 2 5400
20110408081500 20110207081500 2331 fr.
OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
NSEC3: no valid signature found') or an Unbound resolver ('debug:
verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
been added after the signing.
That is, presumably, not normal.
I'm not very familiar with NSEC3 so can't say why it's happening.
Suffice to say we have these records in our NSEC zone and they don't
cause a problem.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
