[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

[Michael Sinatra]

On 04/22/09 11:01, Craig Leres wrote:
> Chris Thompson wrote:
>> The announcement of the fixed BIND 9.4/9.5 versions, and the 1 May
>> deadline, was made on 20 March, here [dns-oarc] and on bind-announce/
>> bind-users (but not dlv-announce, apparently). Anyone using BIND
>> lookaside validation against dlv.isc.org *has* to be aware of the issue.
> 
> I hadn't put two and two together until now but I guess the fact
> that I'm still running 9.6.0-P1 is a problem.
> 
> I typically run the highest released version of bind and build and
> install a package from the FreeBSD ports tree. However, since no
> patch was created for 9.6 (which seemed odd to me), the FreeBSD
> port has not been patched and I'm left in the awkward position of
> either upgrading to "the latest beta release version" (for which
> there's no FreeBSD port and anyway is a move I probably can't defend
> with management) or downgrading to 9.5.
> 
> I asked about this in a few different venues but never received an
> answer. At this point I sort of feel I have been left swinging in
> the breeze; can we get a patch for 9.6? Should I not be running 9.6
> on ~50 FreeBSD boxes (including 8 authoritative nameservers)? The
> only issues I've had with 9.6 have been operational and strictly
> the result of my decision to run DLV, not because of the the specific
> version I picked.

Since 9.6.0-P1 supports NSEC3, the issue is not immediate if you are
running 9.6.0-P1.  It will work fine for .gov resolution; I verified
this by quickly upgrading a number of caching resolvers at Berkeley when
the .gov DLV record was still in place.  The only issue occurs when a
DLV starts to support an algorithm that 9.6.x doesn't support.  Since
that is currently not the case, you will be okay for the May 1 deadline.
 Moreover, the patch for 9.6.x can be released in a more leisurely
manner, probably in time for 9.6.1 release.

michael