[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones
Michael Graff
michael_graff at isc.org
Wed Apr 22 18:18:00 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Craig Leres wrote:
> Chris Thompson wrote:
>> The announcement of the fixed BIND 9.4/9.5 versions, and the 1 May
>> deadline, was made on 20 March, here [dns-oarc] and on bind-announce/
>> bind-users (but not dlv-announce, apparently). Anyone using BIND
>> lookaside validation against dlv.isc.org *has* to be aware of the issue.
>
> I hadn't put two and two together until now but I guess the fact
> that I'm still running 9.6.0-P1 is a problem.
9.6.0-P1 is ok with respect to .gov (aka NSEC3). It has "the bug" but
also supports NSEC3, so it is not immediately affected. Once another
algorithm is added, however, 9.6.0-P1 will fail in exactly the same way.
There was no patch made for 9.6.0 because it was not immediately
necessary, and because 9.6.1 will have the correct fix.
I would recommend upgrading to 9.6.1 as soon as it is out, however.
- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAknvX1gACgkQLdqv0r6eD6ZMJgCeKdfRNv2HeiHTZlCTZIWe0m4o
i78AnAtUUlT/G/XxX4DLp/8Qi7LNRiBo
=aVp3
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list