[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

Michael Graff michael_graff at isc.org
Wed Apr 22 18:18:00 UTC 2009

Hash: SHA1

Craig Leres wrote:
> Chris Thompson wrote:
>> The announcement of the fixed BIND 9.4/9.5 versions, and the 1 May
>> deadline, was made on 20 March, here [dns-oarc] and on bind-announce/
>> bind-users (but not dlv-announce, apparently). Anyone using BIND
>> lookaside validation against dlv.isc.org *has* to be aware of the issue.
> I hadn't put two and two together until now but I guess the fact
> that I'm still running 9.6.0-P1 is a problem.

9.6.0-P1 is ok with respect to .gov (aka NSEC3).  It has "the bug" but
also supports NSEC3, so it is not immediately affected.  Once another
algorithm is added, however, 9.6.0-P1 will fail in exactly the same way.

There was no patch made for 9.6.0 because it was not immediately
necessary, and because 9.6.1 will have the correct fix.

I would recommend upgrading to 9.6.1 as soon as it is out, however.

- --Michael

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the dns-operations mailing list