[dns-operations] BIND and the upcoming .COM DNSSEC change

Florian Weimer fw at deneb.enyo.de
Sun Mar 27 18:45:07 UTC 2011


It's not clear to me how buggy versions of BIND (9.6-ESV, in
particular) react to DNSSEC-related changes as described in:

<http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf>

Will a server restart be sufficient in all cases, even if the resolver
has enabled DLV?

I'm also a bit concerned that 9.6-ESV is effectively end-of-life.
(There's another fix for zone availability issues under DNSSEC which
hasn't been back-ported to it, either.)  Have I missed a public
statement from ISC on this matter?

Background: I suppose Debian needs to issue an advisory, now without
the fix in code, and I want to get the facts straight.



More information about the dns-operations mailing list