[dns-operations] Can't resolve NIH.GOV records
Mark Andrews
Mark_Andrews at isc.org
Thu May 7 23:40:47 UTC 2009
In message <4A0315C2.7020109 at ee.lbl.gov>, Craig Leres writes:
> Mark Andrews wrote:
> > These lookups correctly validate for me.
> >
> > What nameservers are you running and which versions. It really
> > is hard to give advice without knowing what you are running.
>
> I'm running 9.6.0-P1 and the servers are nsx.lbl.gov, ns1.lbl.gov
> and ns2.lbl.gov.
>
> > If you are running BIND I would recommend upgrading to BIND
> > 9.6.1b1 as it fixes a number of validation issues with NSEC3
> > zones.
>
> Earlier I posted:
>
> > I typically run the highest released version of bind and build and
> > install a package from the FreeBSD ports tree. However, since no
> > patch was created for 9.6 (which seemed odd to me), the FreeBSD
> > port has not been patched and I'm left in the awkward position of
> > either upgrading to "the latest beta release version" (for which
> > there's no FreeBSD port and anyway is a move I probably can't defend
> > with management) or downgrading to 9.5.
The patch has this change in it.
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
BIND 9.[345] dosn't support the two DNSKEY algorithms that
indicate NSEC3 may be in use so patches were issued for
BIND 9.4 and BIND 9.5 (BIND 9.3 is at EOL).
BIND 9.6.0 has NSEC3 support, so it knows about the two
algorithms in question and it was not critical to release
a patch for BIND 9.6.0 as it could already handle DLV records
pointing to NSEC3 zones.
>
> > I asked about this in a few different venues but never received an
> > answer. At this point I sort of feel I have been left swinging in
> > the breeze; can we get a patch for 9.6? Should I not be running 9.6
> > on ~50 FreeBSD boxes (including 8 authoritative nameservers)? The
> > only issues I've had with 9.6 have been operational and strictly
> > the result of my decision to run DLV, not because of the the specific
> > version I picked.
> > Are there NSEC3 issues with all versions of bind < 9.6.1b1? (If so
> > then downgrading to 9.5 won't help me.) It sounds like my only
> > options to solve this problem are to run the beta version of 9.6
> > or to turn off DLV.
> >
> > Craig
There are NSEC3 issues with BIND 9.6.0. BIND 9.6.0 was the
first BIND release with NSEC3 support. Yes, it suffers a bit
from .0-itus.
Below are the DNSSEC related fixes in BIND 9.6. The ones
below "--- 9.6.1b1 released ---" are in BIND 9.6.1b1.
Despite DNSSEC being several years old we are only starting
to see wider scale deployment of DNSSEC recently so some
of these bugs are only now surfacing.
We are concentrating on getting BIND 9.6.1 out the door as
that addresses both NSEC and NSEC3 issues. Once BIND 9.6.1
is out the door we will look at releasing the subset of
BIND 9.6.1 changes that also apply to BIND 9.4 and BIND 9.5.
Mark
2597. [bug] Handle a validation failure with a insecure delegation
from a NSEC3 signed master/slave zone. [RT #19464]
2591. [bug] named could die when processing a update in
removed_orphaned_ds(). [RT #19507]
2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
or SDB. [RT #19577]
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
--- 9.6.1b1 released ---
2576. [bug] NSEC record were not being correctly signed when
a zone transitions from insecure to secure.
Handle such incorrectly signed zones. [RT #19114]
2564. [bug] Only take EDNS fallback steps when processing timeouts.
[RT #19405]
2559. [bug] dnssec-dsfromkey could compute bad DS records when
reading from a K* files. [RT #19357]
2554. [bug] Validation of uppercase queries from NSEC3 zones could
fail. [RT #19297]
2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
2523. [bug] Random type rdata freed by dns_nsec_typepresent().
[RT #19112]
2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list