[dns-operations] .FR validation problems?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Oct 1 15:15:02 UTC 2010
On Fri, Oct 01, 2010 at 11:06:35AM -0400,
Hugo Salgado <hsalgado at nic.cl> wrote
a message of 19 lines which said:
> I've read about the BIND's bug in case of a only-delegation opt-out
> nsec3 zone, reported by people in Afnic, but this doesn't seem to be
> the same.
Not at all, here the problem is that the introduction of a new DS in a
parent triggers spurious SERVFAILs (for instance when querying a
non-existing RR type). It is a problem if you run some versions of
BIND, with DNSSEC validation, a trust anchor for the parent (of you
have a local trust anchor, it works) and the arrival of a DS in the
parent.
This "new" bug is actually an old one but is still present in many OS
such as Debian (whose default BIND is 9.6-ESV-R1, vulnerable) and
Ubuntu (and, I believe, CentOS) since there never was a security alert
to require an immediate push.
Fixed in 9.6-ESV-R2.
2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]
Some 9.7.* apparently had the problem, too.
More information about the dns-operations
mailing list