In message <4d5806ef.7000...@imperial.ac.uk>, Phil Mayers writes: > On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote: > > On Sun, Feb 13, 2011 at 10:51:30AM +0000, > > Phil Mayers<p.may...@imperial.ac.uk> wrote > > a message of 31 lines which said: > > > >> This is documented in the Bind ARM > > > > OK, thanks, I missed this section. > > > >> i.e. the *presence* of the record is normal. > > > > I'm not convinced (and the ARM is far from clear about it). > > Well, you're correct that they are absent "most" of the time. > > OTOH I have a zone (NSEC not NSEC3) which is managed by dynamic updates > currently has a TYPE65534 at the apex, and the NSEC record names the > TYPE65534 and it's RRSIG is valid - try: > > dig +dnssec bar.ic.ac.uk > > (assuming the TYPE65534 doesn't vanish... in the meantime) > > IOW, it sounds like a bug in the code for NSEC3, because I think it > works for NSEC.
I could reproduce it in 9.7.1-P1 by just adding a DNSKEY record at the apex but not in 9.7.2. There were a number of NSEC3 fixes between 9.7.1 and 9.7.2. Upgrade. > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users