[dns-operations] Please upgrade validators to at least BIND-9.7.2 before .com is signed

Rickard Dahlstrand rickard.dahlstrand at iis.se
Sat Feb 5 10:22:26 UTC 2011

Hi Duane and others,

Being responsible for some software development here at .SE I realized that there seems to be something really wrong here. If I where responsible for the development of bind, one of the first thing I would test prior to a release is this scenario. Especially in light of the global move into DNSSEC since the root has been signed last year.

It makes me think that DNSSEC is not a huge priority for some of us, while others suffers trying to keep this thing running. This bug was in no way minor and possible had big implications for ISPs in Sweden running DNSSEC-enabled resolvers for a huge number of users, possible losing lots of money and getting bad PR.

This is not meant as a flame at ISC. Instead please read as a call to increase awareness that DNSSEC IS NOT IN BETA and a plea to all vendors to start testing their applications.


2 feb 2011 kl. 16.21 skrev Wessels, Duane:

> Following the deployment of DNSSEC in the .net zone, Verisign became aware
> of issues experienced by users of certain BIND versions when used as a
> recursive name server and configured for validation.
> A user of a BIND 9.7.0-P2, configured for validation with the root trust
> anchor, experienced SERVFAIL responses for all unsigned .net domains after
> the .net DS record was published in the root zone and after .net NS records
> expired from his name server's cache.
> We were able to reproduce the issue in our lab and confirm this behavior.
> We believe it is present in BIND versions 9.6.2 through 9.7.0, but not in
> 9.7.1b1 and later versions. When configured for validation, stub resolvers
> querying a recursive name server running the aforementioned versions have
> a 50% chance of experiencing the issue upon introduction of a new DS record.
> Upon restart of the named process, resolution and validation both work as
> expected, without issues.
> We recommend anyone using BIND 9.6.2 through 9.7.0 for DNSSEC validation
> upgrade to 9.7.2 or later prior to 31 March 2011 (when the DS record for
> .com is planned to be published in the root zone). If you are unable to
> upgrade, we recommend monitoring the root zone on 31 March for the presence
> of the .com DS record and restarting recursive name servers performing
> validation as soon as possible after this DS record appears.
> A more detailed description of this issue and our analysis is available
> at http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list