[dns-operations] BIND validation problem with some DE zones [was: Operational Note -- DNSSEC for DE]

Chris Thompson cet1 at cam.ac.uk
Fri May 27 11:31:24 UTC 2011

Last night I write

>I have a BIND patch from ISC against bug report 24631 which apparently
>fixes the problem (it works for child.dnssec-bug.csi.cam.ac.uk anyway).
>I will refrain from posting it here pending permission from ISC. (Not
>that we could expect many BIND instances to get fixed before DENIC
>unobscure the "de" DNSKEYs, anyway.)

It turns out that ISC have slipped this into the new versions
9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2 together with the ... umm,
more serious bug fix! It is there in the CHANGES file as 

3120.   [bug]     Named could fail to validate zones listed in a DLV
                  that validated insecure without using DLV and had
                  DS records in the parent zone. [RT #24631]

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list