[dns-operations] Problems resolving .gov using DLV

[Edward Lewis]

At 3:28 +0000 3/18/09, Paul Vixie wrote:

>it should be, but isn't.  a separate "if alg is unknown treat as unsigned"
>test was needed in BIND for the DLV case, and it was not present.

I want to ask this of Paul/ISC, so I can explain the "root cause" of 
the situation to interested parties.

The problem with .GOV resolution involving the DLV entry is limited 
to a DS code path bug in certain versions of BIND.  (Question: 
"right?")  Is this bug present in all BIND versions from 9.3 to 9.5 
inclusive?

My reason for asking is that when it comes time to sign the TLDs I 
work for, I don't want to cause any outages for my registrants. 
(Okay, really, I don't want the registrants phoning in problems.)  On 
the one hand we want to progress security by adding DNSSEC but we 
also don't want to disrupt the stability of the network by adding 
DNSSEC.  If it is the case that we get a help desk call from someone 
saying "no one is getting to us" or "I can't get to them" I want to 
at least arm my help desk folks with a script that says something 
like: "is your DNS this kind of software?  if so, inform them there 
is a need to update it and/or alter an option."

BTW, this is something we ran into configuring one of our name 
servers to be IPv6 only.  We found quite a few folks out there 
running "ancient-old" versions of software who were convinced to 
upgrade instead of getting mad at us or "technical progress." ;)
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.