[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

Craig Leres leres at ee.lbl.gov
Wed Apr 22 18:01:38 UTC 2009

Chris Thompson wrote:
> The announcement of the fixed BIND 9.4/9.5 versions, and the 1 May
> deadline, was made on 20 March, here [dns-oarc] and on bind-announce/
> bind-users (but not dlv-announce, apparently). Anyone using BIND
> lookaside validation against dlv.isc.org *has* to be aware of the issue.

I hadn't put two and two together until now but I guess the fact
that I'm still running 9.6.0-P1 is a problem.

I typically run the highest released version of bind and build and
install a package from the FreeBSD ports tree. However, since no
patch was created for 9.6 (which seemed odd to me), the FreeBSD
port has not been patched and I'm left in the awkward position of
either upgrading to "the latest beta release version" (for which
there's no FreeBSD port and anyway is a move I probably can't defend
with management) or downgrading to 9.5.

I asked about this in a few different venues but never received an
answer. At this point I sort of feel I have been left swinging in
the breeze; can we get a patch for 9.6? Should I not be running 9.6
on ~50 FreeBSD boxes (including 8 authoritative nameservers)? The
only issues I've had with 9.6 have been operational and strictly
the result of my decision to run DLV, not because of the the specific
version I picked.


More information about the dns-operations mailing list