[dns-operations] Please upgrade validators to at least BIND-9.7.2 before .com is signed

Wessels, Duane dwessels at verisign.com
Wed Feb 2 15:21:09 UTC 2011

Following the deployment of DNSSEC in the .net zone, Verisign became aware
of issues experienced by users of certain BIND versions when used as a
recursive name server and configured for validation.

A user of a BIND 9.7.0-P2, configured for validation with the root trust
anchor, experienced SERVFAIL responses for all unsigned .net domains after
the .net DS record was published in the root zone and after .net NS records
expired from his name server's cache.

We were able to reproduce the issue in our lab and confirm this behavior.
We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
9.7.1b1 and later versions. When configured for validation, stub resolvers
querying a recursive name server running the aforementioned versions have
a 50% chance of experiencing the issue upon introduction of a new DS record.
Upon restart of the named process, resolution and validation both work as
expected, without issues.

We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation
upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for
.com is planned to be published in the root zone). If you are unable to
upgrade, we recommend monitoring the root zone on 31 March for the presence
of the .com DS record and restarting recursive name servers performing
validation as soon as possible after this DS record appears.

A more detailed description of this issue and our analysis is available
at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.

More information about the dns-operations mailing list