[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

[Chris Thompson]

On Apr 22 2009, Michael Graff wrote:

>Florian Weimer wrote:
>> * Keith Mitchell:
>> 
>>> In order to give BIND DLV users time to upgrade their resolvers to these
>>> fixed versions, ISC is suspending addition of the .gov DNSSEC trust
>>> anchor in DLV until 1st May 2009.
>> 
>> Would it be possible to push back that date a bit?  Are there any
>> signed subzones of .GOV which would suffer from this?

It's a secret. Why else would .GOV use NSEC3 in the first place? :-)

>How many more weeks do you think we should delay re-adding .gov to
>dlv.isc.org?  And what, specifically, do you suggest be the all-clear
>trigger?
>
>I'm not saying we will, but I'm open to the idea.  I do not want to add
>it only to remove it again because we are still breaking people.
>However, I am worried that, to some extent, not breaking people causes
>people to not upgrade, too.

If we were to vote, I would be voting against any further delay.
(That's partly for selfish reasons: I was planning to ramp up our
local testing validating servers for a final "this is going to be
exactly what the default ones will be doing in a couple of weeks"
trial on 1 May. I could add an explicit trust anchor for .GOV,
I suppose...)

The announcement of the fixed BIND 9.4/9.5 versions, and the 1 May
deadline, was made on 20 March, here [dns-oarc] and on bind-announce/
bind-users (but not dlv-announce, apparently). Anyone using BIND
lookaside validation against dlv.isc.org *has* to be aware of the issue.
We've had the Easter break for those who will only upgrade/reboot at
(very) quiet times. Do we really have to wait for Christmas?

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.