[dns-operations] BIND and the upcoming .COM DNSSEC change

Larissa Shapiro larissas at isc.org
Mon Mar 28 11:37:38 UTC 2011


ISC is issuing the following operational advisory in response to this
concern. Please circulate as appropriate.


Operational Advisory for BIND 9.6-ESV-R3 and previous

This advisory is for operators currently deploying DNSSEC validating
resolvers.  It is urgent due to the insertion of .com's DNSSEC
information in the root zone scheduled for March 31st (Thursday) for
those running BIND 9.6-ESV-R3.

There is a defect in 9.6-ESV-R3 which affects DNSSEC validating
resolvers, which can cause queries for .com names to fail with
validation errors, DNSSEC records for the .com zone are initially
inserted into the root zone.

9.6.3, 9.7.3, and 9.8.0 are not affected by this defect.  9.6.2 and
earlier versions are affected.

We are repackaging 9.6.3 as 9.6-ESV-R4.  Other than the version number,
there will be no functional changes between these versions.  We plan to
release this version on Tuesday, March 29th.

Today, our suggestion is this:

(1)  If you cannot wait to upgrade to 9.6-ESV-R4, you may install 9.6.3.

 We will treat 9.6.3 as an ESV for support purposes until 9.6-ESV-R5 is
available, which is planned to occur within two months.

(2)  If you can wait to upgrade, please upgrade to 9.6-ESV-R4 before the
.com DNSSEC records are inserted into the root zone.

(3)  If you cannot upgrade your server software, you may want to disable
validation before the .com DNSSEC records are inserted into the root and
re-enable it again a few days after.

(4) If your server is not updated and becomes affected, "rndc flushname
com" should correct the problem, as would restarting the server.

> > -------- Original Message --------
> > Subject: [dns-operations] BIND and the upcoming .COM DNSSEC change
> > Date: Sun, 27 Mar 2011 20:45:07 +0200
> > From: Florian Weimer <fw at deneb.enyo.de>
> > To: dns-operations at mail.dns-oarc.net
> >
> > It's not clear to me how buggy versions of BIND (9.6-ESV, in
> > particular) react to DNSSEC-related changes as described in:
> >
> > <http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf>
> >
> > Will a server restart be sufficient in all cases, even if the resolver
> > has enabled DLV?
> >
> > I'm also a bit concerned that 9.6-ESV is effectively end-of-life.
> > (There's another fix for zone availability issues under DNSSEC which
> > hasn't been back-ported to it, either.)  Have I missed a public
> > statement from ISC on this matter?
> >
> > Background: I suppose Debian needs to issue an advisory, now without
> > the fix in code, and I want to get the facts straight.
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- Larissa Shapiro Internet Systems Consortium Product Manager
Technology Leadership for the Common Good +1 650 423 1335 www.isc.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110328/0ba247a6/attachment.html>

More information about the dns-operations mailing list