[dns-operations] Problems resolving .gov using DLV

Michael Graff michael_graff at isc.org
Wed Mar 18 14:42:17 UTC 2009

Inline replies if my phone allows it.


On Mar 18, 2009, at 9:15, Edward Lewis <Ed.Lewis at neustar.biz> wrote:

> At 3:28 +0000 3/18/09, Paul Vixie wrote:
>> it should be, but isn't.  a separate "if alg is unknown treat as  
>> unsigned"
>> test was needed in BIND for the DLV case, and it was not present.
> I want to ask this of Paul/ISC, so I can explain the "root cause" of  
> the situation to interested parties.
> The problem with .GOV resolution involving the DLV entry is limited  
> to a DS code path bug in certain versions of BIND.  (Question:  
> "right?")  Is this bug present in all BIND versions from 9.3 to 9.5  
> inclusive?

Not ds. Dlv records only. It is a bug where we did not handle the no  
supported algorithm case in that code path.

The bug is in all versions but 9.6.1 will have the future-proof patch  
applied. I don't believe 9.6.1b1 will but b2 or later will.

It is only a problem in pre 9.6 operationally because these are in the  

> My reason for asking is that when it comes time to sign the TLDs I  
> work for, I don't want to cause any outages for my registrants.  
> (Okay, really, I don't want the registrants phoning in problems.)   
> On the one hand we want to progress security by adding DNSSEC but we  
> also don't want to disrupt the stability of the network by adding  
> DNSSEC.  If it is the case that we get a help desk call from someone  
> saying "no one is getting to us" or "I can't get to them" I want to  
> at least arm my help desk folks with a script that says something  
> like: "is your DNS this kind of software?  if so, inform them there  
> is a need to update it and/or alter an option."
> BTW, this is something we ran into configuring one of our name  
> servers to be IPv6 only.  We found quite a few folks out there  
> running "ancient-old" versions of software who were convinced to  
> upgrade instead of getting mad at us or "technical progress." ;)
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at +1-571-434-5468
> Getting everything you want is easy if you don't want much.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list