[dns-operations] Problems resolving .gov using DLV
Paul Vixie
vixie at isc.org
Wed Mar 18 15:44:19 UTC 2009
Edward Lewis <Ed.Lewis at neustar.biz> wrote:
> I want to ask this of Paul/ISC, so I can explain the "root cause" of the
> situation to interested parties.
>
> The problem with .GOV resolution involving the DLV entry is limited to a DS
> code path bug in certain versions of BIND. (Question: "right?") Is this
> bug present in all BIND versions from 9.3 to 9.5 inclusive?
that's my understanding.
> My reason for asking is that when it comes time to sign the TLDs I work
> for, I don't want to cause any outages for my registrants. (Okay, really, I
> don't want the registrants phoning in problems.) On the one hand we want
> to progress security by adding DNSSEC but we also don't want to disrupt the
> stability of the network by adding DNSSEC. If it is the case that we get a
> help desk call from someone saying "no one is getting to us" or "I can't
> get to them" I want to at least arm my help desk folks with a script that
> says something like: "is your DNS this kind of software? if so, inform
> them there is a need to update it and/or alter an option."
>
> BTW, this is something we ran into configuring one of our name servers to
> be IPv6 only. We found quite a few folks out there running "ancient-old"
> versions of software who were convinced to upgrade instead of getting mad
> at us or "technical progress." ;)
understood. note that while BIND has a large market share, the number of
DLV users is comparatively small and most of them are running BIND9-latest
which does not have this problem. (DLV is not turned on by default.)
More information about the dns-operations
mailing list