[dns-operations] Problems resolving .gov using DLV

Keith Mitchell keith_mitchell at isc.org
Tue Mar 17 00:58:28 UTC 2009

Michael Sinatra wrote:
> On 03/16/09 14:37, Dave Knight wrote:
>> Algorithm 7 is RSASHA1-NSEC3-SHA1, see 
>> http://www.iana.org/assignments/dns-sec-alg-numbers/
>> BIND didn't gain NSEC3 support until 9.6.0, see 
>> https://www.isc.org/software/bind/new-features/9.6
> The problem is that the DLV supports RSASHA1-NSEC3-SHA1, but BIND < 
> 9.6.0 doesn't.  That (apparently) means that systems using the DLV
> that run older versions of BIND CANNOT resolve hosts in a zone that
> in signed with a RSASHA1-NSEC3-SHA1 key!

Thanks Michael for flagging this up. When specing DLV the possibility
that a TLD submitting trust anchors to DLV might use only NSEC3 for
signing it, when many servers out there do not support NSEC3, was
clearly overlooked.

Since this is clearly causing operational pain for various people, we
(ISc as DLV provider) have temporarily rolled .gov out of DLV. We have a
number of ideas for work-arounds (and more ideas/suggestions welcome)
which should allow behavior to be less surprising/more useful for DLV
users running non-NSEC3 servers such as pre-BIND9.6.0, at least until
folks have had a chance to upgrade.

Rather than leap at one of these work-arounds, we want to just do a
little sanity checking first as to the best approach(es), and that
the(ir) implementation is sound. Once we've done that (the plan is in a
few days) we will make a further announcement here, with a short-term
timeline for re-inserting .gov into DLV.


More information about the dns-operations mailing list