[dns-operations] Caveat in upgrading to BIND 9.7.3
michael at rancid.berkeley.edu
Thu Feb 24 23:34:47 UTC 2011
On 2/24/11 3:18 PM, Casey Deccio wrote:
> As an illustration, here is the impact that this had on insecure delegations
> from berekeley.edu:
> Note that two distinct NSEC RRs were returned by the collective set of
> servers authoritative for berkeley.edu for proving non-existence of
> cs.berkeley.edu/DS. Two of the six servers were serving an NSEC RR that had
> a name mixed case in the "next" field, and the others all had only lower
> case. However, all servers were serving the same RRSIG covering the NSEC.
> Since the RRSIG was made from the NSEC with lower case, the RRSIG didn't
> validate against the NSEC served by the two servers.
This is also typical of how the bug manifested prior to 9.7.3. It had
never affected berkeley.edu before because I usually let DNS servers
"settle" for a few days before shoving them back into the anycast cloud.
This generally gives zones time to naturally retransfer as updates are
made and they are re-signed. By quickly dropping in the 9.7.3 and
putting the server back into production, the residual side-effects of
this issue showed up. Forcibly retransferring the zones fixes it
permanently because 9.7.3 properly fixes the way that the zones are
written to disk.
More information about the dns-operations