[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

Keith Mitchell keith_mitchell at isc.org
Fri Mar 20 22:59:16 UTC 2009

Users of BIND version 9.5.x or 9.4.x AND DLV

ISC announced a new user interface for DLV - DNSSEC Lookaside Validation
on March 11th. We have been running the DLV service in limited
production and will shortly be ready to move to full production.

On 15th March 09 the US Government .gov TLD was added to DLV.  The .gov
zone is the first major TLD we know of which has been signed
using NSEC3, which uses the NSEC3RSASHA1 DNSKEY signature algorithm.

Unfortunately this change highlighted a shortcoming in the handling of
DLV lookups for BIND versions 9.3, 9.4 and 9.5, which do not support
or recognize the NSEC3RSASHA1 signature algorithm used with NSEC3. DLV
processing in these affected versions did not handle unknown signature
algorithms correctly. They should have treated data signed with
unknown signature algorithms as equivalent to unsigned data, as base
DNSSEC does, but instead treated them as a validation failure.

This was causing significant operational issues for those DNSSEC early
adopters using DLV to validate .gov zones. As a consequence, to avoid
service disruption, ISC has temporarily removed the .gov trust anchor
from DLV.

ISC has generated software patches applicable to BIND versions
9.4.3 and 9.5.1 which correct the resolution behavior. These
patches can be downloaded from:


PGP signatures and Windows binary kits for these patches are in the
usual places, see the individual release announcements for details.
DLV users running versions of BIND prior to 9.4 are recommended to
upgrade, or to contact ISC for assistance.

ISC is also conducting beta trials of the latest BIND release, 9.6.1.
Note:  Although 9.6.0 has the same error handling for unknown algorithms
as the prior versions, the problem will not be triggered as native
support for NSEC3-signed zones is included.

Early adopters wishing to run fully patched BIND 9.6.1 code should run
the latest beta release version:


In order to give BIND DLV users time to upgrade their resolvers to these
fixed versions, ISC is suspending addition of the .gov DNSSEC trust
anchor in DLV until 1st May 2009. From that date onwards it is assumed
that all DLV users will be running BIND versions amended with the above
patch, and that .gov and other zones with all possible signature
algorithms will be present in DLV, which will only be supported for
resolvers with the correct behavior as per this patch.

Note also that this problem only manifests itself for dynamic trust
anchor lookups via services such as DLV, and there are no issues for
statically configured trust anchors, even with unknown signature
algorithms. DNSSEC users who wish to validate .gov and other
NSEC3-signed zones prior to 1st May are recommended to statically add
these trust anchors to their configuration meantime.

Finally, BIND users who do not use DLV, or do not use DNSSEC at all, are
not affected by this issue, and may continue to run their existing BIND
release without any concerns.

DNSSEC, while an essential tool for securing the future of the Internet,
is very much in an early adoption phase, and it is to be expected that
bootstrap tools such as DLV may encounter some operational glitches as
deployment experience is gathered. This is an issue for DLV service
users only, and not in any way a shortcoming in the DNSSEC architecture.

We would like to thank members of the DNSSEC early adopter community
(and in particular Michael Sinatra of UC Berkeley) for bringing this
issue to our attention, and commend GSA as operators of the .gov zone,
with the assistance of NIST, for aggressively deploying DNSSEC
technologies. It is only through such early deployment and co-operation
that lessons can be learned for the successful problem-free deployment
of DNSSEC in the longer term.

Keith Mitchell
ISC Director of Engineering

More information about the dns-operations mailing list