[dns-operations] Caveat in upgrading to BIND 9.7.3

Michael Sinatra michael at rancid.berkeley.edu
Thu Feb 24 23:34:47 UTC 2011

On 2/24/11 3:18 PM, Casey Deccio wrote:

> As an illustration, here is the impact that this had on insecure delegations
> from berekeley.edu:
> http://dnsviz.net/d/cs.berkeley.edu/1297818000000000/dnssec/
> Note that two distinct NSEC RRs were returned by the collective set of
> servers authoritative for berkeley.edu for proving non-existence of
> cs.berkeley.edu/DS.  Two of the six servers were serving an NSEC RR that had
> a name mixed case in the "next" field, and the others all had only lower
> case.  However, all servers were serving the same RRSIG covering the NSEC.
> Since the RRSIG was made from the NSEC with lower case, the RRSIG didn't
> validate against the NSEC served by the two servers.

This is also typical of how the bug manifested prior to 9.7.3.  It had 
never affected berkeley.edu before because I usually let DNS servers 
"settle" for a few days before shoving them back into the anycast cloud. 
  This generally gives zones time to naturally retransfer as updates are 
made and they are re-signed.  By quickly dropping in the 9.7.3 and 
putting the server back into production, the residual side-effects of 
this issue showed up.  Forcibly retransferring the zones fixes it 
permanently because 9.7.3 properly fixes the way that the zones are 
written to disk.


More information about the dns-operations mailing list