[dns-operations] Please upgrade validators to at least BIND-9.7.2 before .com is signed

Francisco Obispo fobispo at isc.org
Sat Feb 5 02:00:42 UTC 2011

Here's an email that has been posted to several lists already, it comes from my colleague Larissa Shapiro from ISC:


ISC has issued a public advisory regarding the DNSSEC issue raised on
this list earlier this week. All operators who use or plan to use DNSSEC should take careful note, prior to the addition of .com to the signed root at the end of March. The full advisory is located at:


Please do not hesitate to contact us directly with any questions
regarding this matter.


Larissa Shapiro
ISC Product Manager
larissas at isc.org
+1 650 423-1335

On Feb 3, 2011, at 2:51 AM, Antoin Verschuren wrote:

> Hash: SHA1
> Bind 9.7.0-P1 is still used in Ubuntu server 10.04 LTS.
> I think that many still use that as a default install, and depend on
> ubuntu's updates to get a new version.
> I tried to file a bugfix
> (https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/651875) but due to
> my inexperience in filing bugfixes in distributions, I don't know what
> ever happened to it.
> Anyone else having experience in filing security or bug reports for
> Ubuntu that wants to give it a try to get it fixed there ?
> - -- 
> Antoin Verschuren
> Technical Policy Advisor SIDN
> Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
> P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
> mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl
> http://www.sidn.nl/
> On 02-02-11 16:21, Wessels, Duane wrote:
>> Following the deployment of DNSSEC in the .net zone, Verisign became aware
>> of issues experienced by users of certain BIND versions when used as a
>> recursive name server and configured for validation.
>> A user of a BIND 9.7.0-P2, configured for validation with the root trust
>> anchor, experienced SERVFAIL responses for all unsigned .net domains after
>> the .net DS record was published in the root zone and after .net NS records
>> expired from his name server's cache.
>> We were able to reproduce the issue in our lab and confirm this behavior.
>> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
>> 9.7.1b1 and later versions. When configured for validation, stub resolvers
>> querying a recursive name server running the aforementioned versions have
>> a 50% chance of experiencing the issue upon introduction of a new DS record.
>> Upon restart of the named process, resolution and validation both work as
>> expected, without issues.
>> We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation
>> upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for
>> .com is planned to be published in the root zone). If you are unable to
>> upgrade, we recommend monitoring the root zone on 31 March for the presence
>> of the .com DS record and restarting recursive name servers performing
>> validation as soon as possible after this DS record appears.
>> A more detailed description of this issue and our analysis is available
>> at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> Version: GnuPG v1.4.10 (GNU/Linux)
> 5N9AFlSoVqAe1eNU0U6mUvBukf7XqcB3LgrKthRz8uYyNJnNwDLLlw8i+VYsnCII
> 7nAZFgkIjUdSdus/A9I7fUFnBj7A92GOVbV4Ux7TqkvyAmJFPGgjmb20EcsEDGp2
> Klqza0YjcCKcpHrg6MrMKt3jsHSR1Loe0rHg+WHM/ScMMe2eW5zR45tMNOYC+FSJ
> kR7e5raFWbHKYdNoiH5xP+OxWtMG0NLPgOrGSxZoj69pKEwpFD1GfTSYGm7+8wA=
> =8IRU
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Francisco Obispo 
Hosted@ Programme Manager
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
Key fingerprint = 532F 84EB 06B4 3806 D5FA  09C6 463E 614E B38D B1BE

More information about the dns-operations mailing list