[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

Florian Weimer fw at deneb.enyo.de
Wed Apr 22 11:08:45 UTC 2009


* Michael Graff:

> Florian Weimer wrote:
>> * Keith Mitchell:
>> 
>>> In order to give BIND DLV users time to upgrade their resolvers to these
>>> fixed versions, ISC is suspending addition of the .gov DNSSEC trust
>>> anchor in DLV until 1st May 2009.
>> 
>> Would it be possible to push back that date a bit?  Are there any
>> signed subzones of .GOV which would suffer from this?
>
> How many more weeks do you think we should delay re-adding .gov to
> dlv.isc.org?  And what, specifically, do you suggest be the all-clear
> trigger?

A working signed delegation for nist.gov (or any other child zone).

> I'm not saying we will, but I'm open to the idea.  I do not want to add
> it only to remove it again because we are still breaking people.
> However, I am worried that, to some extent, not breaking people causes
> people to not upgrade, too.

We can still meet the May 1st deadline at Debian.  The question is why
rush things if there aren't any signed delegations which would benefit
from the DLV entry?



More information about the dns-operations mailing list