[dns-operations] .FR validation problems?

Hugo Salgado hsalgado at nic.cl
Fri Oct 1 16:29:22 UTC 2010


On 10/01/2010 11:50 AM, Chris Thompson wrote:
> On Oct 1 2010, Stephane Bortzmeyer wrote:
>> Not at all, here the problem is that the introduction of a new DS in a
>> This "new" bug is actually an old one but is still present in many OS
>> such as Debian (whose default BIND is 9.6-ESV-R1, vulnerable) and
>> Ubuntu (and, I believe, CentOS) since there never was a security alert
>> to require an immediate push.
> 
> We saw this too, using BIND 9.6.2-P2. (We're upgrading our recursive
> nameservers now: I was waiting for BIND 9.7.2 which has had ... problems.)
> 
> It was sufficient to do "rndc flushname fr" to cure the problem,
> incidentally. I gave the user who reported the problem the
> technical details, and he replied
> 

Thanks. We plan to un-obscure our dnskey before the submission
of our DS, as Casey suggests (its a requirement by IANA anyway), but
this issue doesn't seem to be workable in short term.

We'll try to figure out how to minimize the impact, with an
announcement like .fr did today.

Thanks,

Hugo



More information about the dns-operations mailing list