[dns-operations] Can't resolve NIH.GOV records

Craig Leres leres at ee.lbl.gov
Thu May 7 17:09:22 UTC 2009

Mark Andrews wrote:
> 	These lookups correctly validate for me.
> 	What nameservers are you running and which versions.  It really
> 	is hard to give advice without knowing what you are running.

I'm running 9.6.0-P1 and the servers are nsx.lbl.gov, ns1.lbl.gov
and ns2.lbl.gov.

> 	If you are running BIND I would recommend upgrading to BIND
> 	9.6.1b1 as it fixes a number of validation issues with NSEC3
> 	zones.

Earlier I posted:

> I typically run the highest released version of bind and build and
> install a package from the FreeBSD ports tree. However, since no
> patch was created for 9.6 (which seemed odd to me), the FreeBSD
> port has not been patched and I'm left in the awkward position of
> either upgrading to "the latest beta release version" (for which
> there's no FreeBSD port and anyway is a move I probably can't defend
> with management) or downgrading to 9.5.
> I asked about this in a few different venues but never received an
> answer. At this point I sort of feel I have been left swinging in
> the breeze; can we get a patch for 9.6? Should I not be running 9.6
> on ~50 FreeBSD boxes (including 8 authoritative nameservers)? The
> only issues I've had with 9.6 have been operational and strictly
> the result of my decision to run DLV, not because of the the specific
> version I picked.

Are there NSEC3 issues with all versions of bind < 9.6.1b1? (If so
then downgrading to 9.5 won't help me.) It sounds like my only
options to solve this problem are to run the beta version of 9.6
or to turn off DLV.


More information about the dns-operations mailing list