[dns-operations] Caveat in upgrading to BIND 9.7.3

Casey Deccio casey at deccio.net
Thu Feb 24 23:18:15 UTC 2011


On Thu, Feb 24, 2011 at 9:51 AM, Michael Sinatra <
michael at rancid.berkeley.edu> wrote:

> BIND 9.7.3 correctly fixes an issue not currently related to the CVE that
> has just been released.  This issue involves case-sensitivity issues in
> secondary zones, which can cause validation problems for NSEC records if the
> zone in question is DNSSEC-signed.  The problem manifests itself when the
> secondary's named.conf has a different case versus the original zone when it
> was signed, e.g. br vs. BR.  It can cause unsigned delegations to fail since
> the nonexistence of the DS record can't be proven.  It's a pretty small
> corner-case, but it can affect zones with several secondaries and many
> signed and unsigned delegations (e.g. signed ccTLDs).
>
>
As an illustration, here is the impact that this had on insecure delegations
from berekeley.edu:

http://dnsviz.net/d/cs.berkeley.edu/1297818000000000/dnssec/

Note that two distinct NSEC RRs were returned by the collective set of
servers authoritative for berkeley.edu for proving non-existence of
cs.berkeley.edu/DS.  Two of the six servers were serving an NSEC RR that had
a name mixed case in the "next" field, and the others all had only lower
case.  However, all servers were serving the same RRSIG covering the NSEC.
Since the RRSIG was made from the NSEC with lower case, the RRSIG didn't
validate against the NSEC served by the two servers.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110224/4d2f8640/attachment.html>


More information about the dns-operations mailing list