[dns-operations] .FR validation problems?
Chris Thompson
cet1 at cam.ac.uk
Fri Oct 1 15:50:27 UTC 2010
On Oct 1 2010, Stephane Bortzmeyer wrote:
>On Fri, Oct 01, 2010 at 11:06:35AM -0400,
> Hugo Salgado <hsalgado at nic.cl> wrote
> a message of 19 lines which said:
>
>> I've read about the BIND's bug in case of a only-delegation opt-out
>> nsec3 zone, reported by people in Afnic, but this doesn't seem to be
>> the same.
>
>Not at all, here the problem is that the introduction of a new DS in a
>parent triggers spurious SERVFAILs (for instance when querying a
>non-existing RR type). It is a problem if you run some versions of
>BIND, with DNSSEC validation, a trust anchor for the parent (of you
>have a local trust anchor, it works) and the arrival of a DS in the
>parent.
>
>This "new" bug is actually an old one but is still present in many OS
>such as Debian (whose default BIND is 9.6-ESV-R1, vulnerable) and
>Ubuntu (and, I believe, CentOS) since there never was a security alert
>to require an immediate push.
>
>Fixed in 9.6-ESV-R2.
>
>2890. [bug] Handle the introduction of new trusted-keys and
> DS, DLV RRsets better. [RT #21097]
>
>Some 9.7.* apparently had the problem, too.
We saw this too, using BIND 9.6.2-P2. (We're upgrading our recursive
nameservers now: I was waiting for BIND 9.7.2 which has had ... problems.)
It was sufficient to do "rndc flushname fr" to cure the problem,
incidentally. I gave the user who reported the problem the
technical details, and he replied
| Thanks for sorting it out. Didn't understand a word of your
| explanation but the result is there. I works.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list