[dns-operations] Problems resolving .gov using DLV
Michael Graff
michael_graff at isc.org
Wed Mar 18 14:42:17 UTC 2009
Inline replies if my phone allows it.
--Michael
On Mar 18, 2009, at 9:15, Edward Lewis <Ed.Lewis at neustar.biz> wrote:
> At 3:28 +0000 3/18/09, Paul Vixie wrote:
>
>> it should be, but isn't. a separate "if alg is unknown treat as
>> unsigned"
>> test was needed in BIND for the DLV case, and it was not present.
>
> I want to ask this of Paul/ISC, so I can explain the "root cause" of
> the situation to interested parties.
>
> The problem with .GOV resolution involving the DLV entry is limited
> to a DS code path bug in certain versions of BIND. (Question:
> "right?") Is this bug present in all BIND versions from 9.3 to 9.5
> inclusive?
Not ds. Dlv records only. It is a bug where we did not handle the no
supported algorithm case in that code path.
The bug is in all versions but 9.6.1 will have the future-proof patch
applied. I don't believe 9.6.1b1 will but b2 or later will.
It is only a problem in pre 9.6 operationally because these are in the
wild.
>
> My reason for asking is that when it comes time to sign the TLDs I
> work for, I don't want to cause any outages for my registrants.
> (Okay, really, I don't want the registrants phoning in problems.)
> On the one hand we want to progress security by adding DNSSEC but we
> also don't want to disrupt the stability of the network by adding
> DNSSEC. If it is the case that we get a help desk call from someone
> saying "no one is getting to us" or "I can't get to them" I want to
> at least arm my help desk folks with a script that says something
> like: "is your DNS this kind of software? if so, inform them there
> is a need to update it and/or alter an option."
>
> BTW, this is something we ran into configuring one of our name
> servers to be IPv6 only. We found quite a few folks out there
> running "ancient-old" versions of software who were convinced to
> upgrade instead of getting mad at us or "technical progress." ;)
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=-
> Edward Lewis
> NeuStar You can leave a voice message at +1-571-434-5468
>
> Getting everything you want is easy if you don't want much.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list