[dns-operations] Can't resolve NIH.GOV records

Mark Andrews Mark_Andrews at isc.org
Thu May 7 23:40:47 UTC 2009


In message <4A0315C2.7020109 at ee.lbl.gov>, Craig Leres writes:
> Mark Andrews wrote:
> > 	These lookups correctly validate for me.
> >
> > 	What nameservers are you running and which versions.  It really
> > 	is hard to give advice without knowing what you are running.
> 
> I'm running 9.6.0-P1 and the servers are nsx.lbl.gov, ns1.lbl.gov
> and ns2.lbl.gov.
> 
> > 	If you are running BIND I would recommend upgrading to BIND
> > 	9.6.1b1 as it fixes a number of validation issues with NSEC3
> > 	zones.
> 
> Earlier I posted:
> 
> > I typically run the highest released version of bind and build and
> > install a package from the FreeBSD ports tree. However, since no
> > patch was created for 9.6 (which seemed odd to me), the FreeBSD
> > port has not been patched and I'm left in the awkward position of
> > either upgrading to "the latest beta release version" (for which
> > there's no FreeBSD port and anyway is a move I probably can't defend
> > with management) or downgrading to 9.5.

	The patch has this change in it.

2579.   [bug]           DNSSEC lookaside validation failed to handle unknown
                        algorithms. [RT #19479]

	BIND 9.[345] dosn't support the two DNSKEY algorithms that
	indicate NSEC3 may be in use so patches were issued for
	BIND 9.4 and BIND 9.5 (BIND 9.3 is at EOL).

	BIND 9.6.0 has NSEC3 support, so it knows about the two
	algorithms in question and it was not critical to release
	a patch for BIND 9.6.0 as it could already handle DLV records
	pointing to NSEC3 zones.
>
> > I asked about this in a few different venues but never received an 
> > answer. At this point I sort of feel I have been left swinging in
> > the breeze; can we get a patch for 9.6? Should I not be running 9.6
> > on ~50 FreeBSD boxes (including 8 authoritative nameservers)? The
> > only issues I've had with 9.6 have been operational and strictly
> > the result of my decision to run DLV, not because of the the specific
> > version I picked. 
> > Are there NSEC3 issues with all versions of bind < 9.6.1b1? (If so
> > then downgrading to 9.5 won't help me.) It sounds like my only
> > options to solve this problem are to run the beta version of 9.6
> > or to turn off DLV. 
> >
> >               Craig

	There are NSEC3 issues with BIND 9.6.0.  BIND 9.6.0 was the
	first BIND release with NSEC3 support.  Yes, it suffers a bit
	from .0-itus.

	Below are the DNSSEC related fixes in BIND 9.6.  The ones
	below "--- 9.6.1b1 released ---" are in BIND 9.6.1b1.
	Despite DNSSEC being several years old we are only starting
	to see wider scale deployment of DNSSEC recently so some
	of these bugs are only now surfacing.

	We are concentrating on getting BIND 9.6.1 out the door as
	that addresses both NSEC and NSEC3 issues.  Once BIND 9.6.1
	is out the door we will look at releasing the subset of
	BIND 9.6.1 changes that also apply to BIND 9.4 and BIND 9.5.

	Mark

2597.   [bug]           Handle a validation failure with a insecure delegation
                        from a NSEC3 signed master/slave zone.  [RT #19464]

2591.   [bug]           named could die when processing a update in
                        removed_orphaned_ds(). [RT #19507]

2586.   [bug]           Missing cleanup of SIG rdataset in searching a DLZ DB
                        or SDB. [RT #19577]

2579.   [bug]           DNSSEC lookaside validation failed to handle unknown
                        algorithms. [RT #19479]

        --- 9.6.1b1 released ---

2576.   [bug]           NSEC record were not being correctly signed when
                        a zone transitions from insecure to secure.
                        Handle such incorrectly signed zones. [RT #19114]

2564.   [bug]           Only take EDNS fallback steps when processing timeouts.
                        [RT #19405]

2559.   [bug]           dnssec-dsfromkey could compute bad DS records when
                        reading from a K* files.  [RT #19357]

2554.   [bug]           Validation of uppercase queries from NSEC3 zones could
                        fail. [RT #19297]

2553.   [bug]           Reference leak on DNSSEC validation errors. [RT #19291]

2524.   [port]          sunos: dnssec-signzone needs strtoul(). [RT #19129]

2523.   [bug]           Random type rdata freed by dns_nsec_typepresent().
                        [RT #19112]

2522.   [security]      Handle -1 from DSA_do_verify() and EVP_VerifyFinal().

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list