[dns-operations] Please upgrade validators to at least BIND-9.7.2 before .com is signed

Antoin Verschuren antoin.verschuren at sidn.nl
Thu Feb 3 10:51:22 UTC 2011

Hash: SHA1

Bind 9.7.0-P1 is still used in Ubuntu server 10.04 LTS.
I think that many still use that as a default install, and depend on
ubuntu's updates to get a new version.

I tried to file a bugfix
(https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/651875) but due to
my inexperience in filing bugfixes in distributions, I don't know what
ever happened to it.

Anyone else having experience in filing security or bug reports for
Ubuntu that wants to give it a try to get it fixed there ?

- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl

On 02-02-11 16:21, Wessels, Duane wrote:
> Following the deployment of DNSSEC in the .net zone, Verisign became aware
> of issues experienced by users of certain BIND versions when used as a
> recursive name server and configured for validation.
> A user of a BIND 9.7.0-P2, configured for validation with the root trust
> anchor, experienced SERVFAIL responses for all unsigned .net domains after
> the .net DS record was published in the root zone and after .net NS records
> expired from his name server's cache.
> We were able to reproduce the issue in our lab and confirm this behavior.
> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
> 9.7.1b1 and later versions. When configured for validation, stub resolvers
> querying a recursive name server running the aforementioned versions have
> a 50% chance of experiencing the issue upon introduction of a new DS record.
> Upon restart of the named process, resolution and validation both work as
> expected, without issues.
> We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation
> upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for
> .com is planned to be published in the root zone). If you are unable to
> upgrade, we recommend monitoring the root zone on 31 March for the presence
> of the .com DS record and restarting recursive name servers performing
> validation as soon as possible after this DS record appears.
> A more detailed description of this issue and our analysis is available
> at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Version: GnuPG v1.4.10 (GNU/Linux)


More information about the dns-operations mailing list