[dns-operations] Problems resolving .gov using DLV

Paul Vixie vixie at isc.org
Wed Mar 18 15:44:19 UTC 2009

Edward Lewis <Ed.Lewis at neustar.biz> wrote:

> I want to ask this of Paul/ISC, so I can explain the "root cause" of the
> situation to interested parties.
> The problem with .GOV resolution involving the DLV entry is limited to a DS
> code path bug in certain versions of BIND.  (Question: "right?")  Is this
> bug present in all BIND versions from 9.3 to 9.5 inclusive?

that's my understanding.

> My reason for asking is that when it comes time to sign the TLDs I work
> for, I don't want to cause any outages for my registrants. (Okay, really, I
> don't want the registrants phoning in problems.)  On the one hand we want
> to progress security by adding DNSSEC but we also don't want to disrupt the
> stability of the network by adding DNSSEC.  If it is the case that we get a
> help desk call from someone saying "no one is getting to us" or "I can't
> get to them" I want to at least arm my help desk folks with a script that
> says something like: "is your DNS this kind of software?  if so, inform
> them there is a need to update it and/or alter an option."
> BTW, this is something we ran into configuring one of our name servers to
> be IPv6 only.  We found quite a few folks out there running "ancient-old"
> versions of software who were convinced to upgrade instead of getting mad
> at us or "technical progress." ;)

understood.  note that while BIND has a large market share, the number of
DLV users is comparatively small and most of them are running BIND9-latest
which does not have this problem.  (DLV is not turned on by default.)

More information about the dns-operations mailing list