2020-04-27 - News - Tony Finch
I have released a new version of nsdiff.
This release removes TYPE65534 records from the list of
DNSSEC-related types that nsdiff
ignores.
TYPE65534 is the private type that BIND uses to keep track of incremental signing. These records usually end up hanging around after signing is complete, cluttering up the zone. It would be neater if they were removed automatically.
In fact, it's safe to try to remove them using DNS UPDATE: if the records can be removed (because signing is complete), thy will be; if they can't be removed then they are quietly left in place, and the rest of the update is applied.
After this change you can clean away TYPE65534 records using nsdiff
or nsvi
. In our deployment, nspatch
runs hourly and will now
automatically clean TYPE65534 records when they are not needed.