[dns-operations] Please upgrade validators to at least BIND-9.7.2 before .com is signed

Antoin Verschuren antoin.verschuren at sidn.nl
Thu Feb 3 10:51:22 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bind 9.7.0-P1 is still used in Ubuntu server 10.04 LTS.
I think that many still use that as a default install, and depend on
ubuntu's updates to get a new version.

I tried to file a bugfix
(https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/651875) but due to
my inexperience in filing bugfixes in distributions, I don't know what
ever happened to it.

Anyone else having experience in filing security or bug reports for
Ubuntu that wants to give it a try to get it fixed there ?

- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl
http://www.sidn.nl/

On 02-02-11 16:21, Wessels, Duane wrote:
> Following the deployment of DNSSEC in the .net zone, Verisign became aware
> of issues experienced by users of certain BIND versions when used as a
> recursive name server and configured for validation.
> 
> A user of a BIND 9.7.0-P2, configured for validation with the root trust
> anchor, experienced SERVFAIL responses for all unsigned .net domains after
> the .net DS record was published in the root zone and after .net NS records
> expired from his name server's cache.
> 
> We were able to reproduce the issue in our lab and confirm this behavior.
> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
> 9.7.1b1 and later versions. When configured for validation, stub resolvers
> querying a recursive name server running the aforementioned versions have
> a 50% chance of experiencing the issue upon introduction of a new DS record.
> Upon restart of the named process, resolution and validation both work as
> expected, without issues.
> 
> We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation
> upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for
> .com is planned to be published in the root zone). If you are unable to
> upgrade, we recommend monitoring the root zone on 31 March for the presence
> of the .com DS record and restarting recursive name servers performing
> validation as soon as possible after this DS record appears.
> 
> A more detailed description of this issue and our analysis is available
> at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNSoilAAoJEDqHrM883Agn0esIAL4zSHK0SILbGNOFB0ns2idu
5N9AFlSoVqAe1eNU0U6mUvBukf7XqcB3LgrKthRz8uYyNJnNwDLLlw8i+VYsnCII
7nAZFgkIjUdSdus/A9I7fUFnBj7A92GOVbV4Ux7TqkvyAmJFPGgjmb20EcsEDGp2
D+wITd12iGGHiV9lgGehCaWWTdvNEsXiX4fKD5FfYMJhaKSSd1DMoJHMLcmVPNog
Klqza0YjcCKcpHrg6MrMKt3jsHSR1Loe0rHg+WHM/ScMMe2eW5zR45tMNOYC+FSJ
kR7e5raFWbHKYdNoiH5xP+OxWtMG0NLPgOrGSxZoj69pKEwpFD1GfTSYGm7+8wA=
=8IRU
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list